There are times when your inbox probably feels like it is under siege, with dozens of emails flooding in daily, offering everything from last-minute travel deals to questionable crypto advice. Nearly every email ends with the same invitation: Click here to unsubscribe.
Before you do, however, consider this: While we’ve long been told that “unsubscribe” is a simple and safe way to get off email lists we never signed up for or no longer care about, that isn’t always the case. In fact, cybersecurity experts warn that in many instances, clicking that link might do more harm than good.
“Trust is relative. I trust my email client, but I don’t trust what’s inside the email,” says TK Keanini, chief technology officer at DNSFilter, which sells cybersecurity software. Once you click on a sender’s unsubscribe link, Keanini warns, “you’ve left the safe, structured environment of your email client and entered the open web,” where you face a new and novel set of threats.
The risks
DNSFilter has found that one in every 644 clicks on unsubscribe links that say “click here to unsubscribe” leads users to potentially malicious websites.
The lowest risk is that bad actors who have acquired your email address are testing to see if it is a live one, experts say. Clicking on that unsubscribe link “tells attackers you’re a real person who interacts with spam,” says Michael Bargury, chief technology officer and co-founder of artificial-intelligence-agent security company Zenity. It may not cause immediate harm, but it “can make you a bigger target in the future.”
Once bad actors know an email address belongs to a real person who’s paying attention, they can start to build a file on that user in the hopes of eventually extorting money through social engineering or some other scam, says Charles Henderson, executive vice president of cybersecurity services at security firm Coalfire.
Another risk associated with unsubscribe links is that they will send you to a fake but authentic-looking webpage, where criminals try to trick you into providing your login credentials or attempt to install malware on your device.
“If the redirected site asks you for your password to unsubscribe, that’s a red flag,” Bargury says. “Don’t do it.” Instead, open a new window and navigate to the actual website of the presumed sender and change your communications settings manually without clicking through any links in the body of an email, he says.
Some legitimate businesses will send users to other landing pages and ask them to re-enter their email addresses to unsubscribe from the firm’s email list. They likely do that “because the architecture of the email unsubscribe system is leveraging one single unsubscribe link for all recipients,” so it isn’t personalized for each email address, says Henderson. Still, he never clicks on any links embedded into the body of an email sent from someone he hasn’t exchanged emails with before.
“If you don’t trust the source, why would you trust their unsubscribe link?” Henderson says.
It’s possible that clicking on an unsubscribe link in the body of an email could expose a user’s device to malware, but that isn’t a highly effective tactic for bad actors, Henderson says. For the criminal to succeed, he says, three things would have to align: You would have to be using a version of a browser with an unknown vulnerability; criminals would have to be targeting the specific vulnerable browser you’re using; and you would have to have clicked on the fake unsubscribe link.
Alternative options
All three experts say they are usually comfortable using “list-unsubscribe headers”—the built-in, hyperlinked buttons maintained by many email-service providers and positioned in the heading of emails that give users an easy way to opt out of emails. These are generally safer than clicking on unsubscribe links in the body of emails, they say, because they don’t take you out to the web.
If that hyperlinked list-unsubscribe header option isn’t available, or the sender of the email looks shady, the easiest fix, experts say, is to mark the unwanted email as spam and move on.
Still annoyed? Set up a filter for emails from the sender in question that automatically diverts them to your spam box. And going forward, use a dedicated and disposable email address when signing up for services, lists or coupons.
“You can set up an address like something.something@icloud.com just for your favorite clothing sites,” Henderson says. “If it gets spammed, turn it off. Problem solved.”
Apple’s “Hide My Email” feature, meanwhile, lets users generate unique, random email addresses that automatically forward to their real email inbox. That way, users can sign up for services, make purchases and get coupons, among other things, while keeping their email address private. Chrome and Firefox users can download and employ similar privacy extensions.
Heidi Mitchell is a writer in New York and London. She can be reached at reports@wsj.com.
Cybersecurity
- How Much Do You Know About Cyber Scams? Take the Journal’s Quiz.
- How Much Do You Know About Online Romance Scams? Take Our Quiz to Find Out
- It’s Time for the Government to Get More Involved in Cybersecurity
- Stopping Child Porn Online Is a Worthy Goal. But Beware the Proposed Cure
- Six Ways to Lose Your All Your Crypto
- Why Are Young Adults Vulnerable to Phishing Scams? Blame It on FOMO
- Do Your Passwords Meet the Proposed New Federal Guidelines?
- Why Hackers Want Your Health Information
Copyright ©2025 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8