How Unsubscribing Can Backfire and Make Security Matters Worse
Unsubscribing from an email could lead to malware infection — if the sender is not reputable.
Recently, the Chief Information Security Officer (CISO) at a regional bank (that I’m not at liberty to disclose) was discussing a rash of malware incidents the bank had just experienced. Ironically, an internal initiative to reduce spam had backfired and resulted in a large number of advanced, malicious infections. The problem was ultimately traced to employees who, in an effort to clean up their inboxes, were unsubscribing from junk emails. Unfortunately, the “unsubscribe” links within some of those emails connected the user’s browser to malicious webpages. Although appearing to remove the employee’s email from the sender’s mailing list, in reality the site installed sophisticated malware on the employee’s PC. A simple attempt to remove clutter resulted in a much bigger problem.
This CISO remarked that their financial institution is very security aware, however a lot of their employees had not viewed clicking on a link to unsubscribe from emails as potentially dangerous. “Obviously”, he continued, “we didn’t do an adequate job training our workforce about the risks. We should have given more weight to the hazards of unsubscribing and the potential for malware infection.”
It’s clear that not many people are cognizant of the potential dangers of unsubscribing, so while it’s not a new threat, it warrants added exposure and understanding.
Why Unsubscribing Can Hurt You
There are a number of reasons why you might not want to unsubscribe from emails. Unsubscribing confirms to the sender that your email address is valid and active, and that raises its value. If you are dealing with unethical spam, the sender might sell your contact information to others. Instead of decreasing your volume of junk mail, unsubscribing may in fact escalate it.
However, as annoying as increasing your spam volume is, a much larger problem is that you just may open the door for malware infection or other attacks.
If you unsubscribe by sending an email, headers in the message reveal what kind of software you are using. That may indicate what type of computer and applications you have, along with their known vulnerabilities. If you unsubscribe by clicking on a link, your browser gives even more information away, including your location (based on your IP address), your computer operating system, and the specific browser you are using.
But by far, the biggest risk from unsubscribing is the potential of a drive-by download. This occurs when a malicious website installs malware on your device, particularly if your system is out of date. In most cases, all one needs to do is visit the site.
Safely Dealing with Unwanted Email
How do we deal with unwanted email and avoid a malware infection? First of all, let me be clear that unsubscribing is not always bad. By law, all newsletters and promotions sent by email must contain unsubscribe information in the email’s list-unsubscribe header, and a clear unsubscribe option within the body of the message. Reputable companies honor this, and unless cybercriminals have compromised their site, it’s safe to unsubscribe from emails sent by trusted entities. The operative word here is “reputable.” A quick look at the unsubscribe URL can sometimes reveal an unscrupulous sender. If it looks strange in any way, don’t trust it. But if you do trust the company, and the emails are clearly from them and not some imposter, go ahead and unsubscribe.
A number of email services provide safe unsubscribe features. For instance, Gmail offers users the option to unsubscribe from within its interface. What I like about Gmail’s approach is that even if an email message includes instructions on how to unsubscribe, Gmail’s user interface will not display the “unsubscribe” button if Google believes the sender’s reputation is poor. Using Gmail’s interface rather than the link in the email itself gives you an audited and much safer way to unsubscribe.
You can also use your email system to mark any unwanted messages as spam instead of unsubscribing from them. Marking something as spam deletes or quarantines the message, but also teaches your email software that you want to block future messages. That helps not just you, but everyone else too.
Just deleting unwanted email might be the simplest and safest approach. I’ve personally found that if you never open the emails and just keep deleting them, eventually the sender will stop emailing you, or maybe not.
The Simple Approach to Spam
Technology writer, Rob Nightingale at Make Use Of (regarding spam) wrote: “Your first instinct is to click the little unsubscribe button that’s hidden at the bottom of your email subscriptions and most spam messages. All it does now is inform the pesky spammer that they’ve found an email address that’s in use. Delighted at his success, the spammer lets the rest of his spammer entourage know about you.” Nightingale says “if you don’t know who sent the email, do not press unsubscribe.”
Bottom line: If you don’t know or trust the sender, either mark the email as spam or just delete it. Don’t unsubscribe. That simple approach will help you stay malware-free.