Phishing: What Happens When You Click ‘Unsubscribe’
When you click “unsubscribe” in a legitimate email, you intend to stop receiving further communications from the sender. However, if you’re dealing with a phishing email, clicking “unsubscribe” can lead to several unfavorable outcomes, potentially making things worse.
- Verification of Active Email Address: One of the primary objectives of phishing campaigns is to gather valid, active email addresses. By clicking on the “unsubscribe” link, you tell the attacker that your email address is active and monitored, making it a more valuable target for future scams or spam.
- Malware Infection: The link might lead to a malicious website that downloads and installs malware onto your device. This malware could be anything from ransomware (which encrypts your files and demands payment for their release) to spyware (which monitors your activities and steals sensitive information).
- Credential Harvesting: The link could redirect you to a counterfeit webpage that looks like a legitimate site you use (e.g., banking, email, or social media). The goal is to trick you into entering your login credentials, which the attackers can exploit.
- Drive-By Download Attacks: Some malicious websites are designed to exploit vulnerabilities in your web browser or its plugins. Just by visiting the site, without any further action on your part, malware might be downloaded and installed on your device.
- Tracking Pixels: By clicking the link, the phisher might also be able to retrieve certain information about your device or location, enhancing their profile of you for further attacks.
- Further Spam: By interacting with the phishing email, the attackers might categorize you as an “engaged” user. This could result in an increased volume of phishing emails or spam.
Why Clicking “Unsubscribe” Isn’t Helping
Legitimacy Misunderstanding: Many people associate “unsubscribe” links with legitimate emails. Attackers exploit this trust by including such links in phishing emails.
- False Sense of Security: Clicking “unsubscribe” might lead you to believe you’ve resolved the issue and won’t receive further malicious emails from that sender. In reality, you’ve just signaled your engagement to the attacker.
- No Regulatory Backing: Phishers operate outside the law, unlike legitimate marketing emails regulated by laws (like the CAN-SPAM Act in the US) that require honoring unsubscribe requests. They are not obligated to stop sending you emails because you clicked “unsubscribe.”
Phishing Protection: How To Protect Yourself
- Avoid Interacting: If you suspect an email might be a phishing attempt, avoid clicking any links, downloading attachments, or interacting with the email in any way.
- Verify Directly: If unsure about an email’s legitimacy, contact the company or sender directly using a verified phone number or email address, not any contact details from the suspicious email.
- Update & Protect: Ensure your operating system, web browsers, and security software are regularly updated to defend against known vulnerabilities.
- Educate Yourself: Familiarize yourself with common signs of phishing emails, such as generic greetings, poor grammar, urgent or threatening language, and mismatched URLs.
You may be interested in this article and guide on stopping the attack cycle from CISA. Or, our blog post on avoiding the top ten social media scams.