Determining a policy on unsubscribing from newsletters and spam leaves most of us in a quandary. Roger Grimes, Data-Driven Defense Evangelist at KnowBe4 offers up some advice in this blog post.
Should You Click on Unsubscribe?
Some common questions we get are “Should I click on an unwanted email’s ’Unsubscribe’ link? Will that lead to more or less unwanted email?”
The short answer is that, in general, it is OK to click on a legitimate vendor’s unsubscribe link. But if you think the email is sketchy or coming from a source you would not want to validate your email address as valid and active, or are unsure, do not take the chance, skip the unsubscribe action.
In many countries, legitimate vendors are bound by law to offer (free) unsubscribe functionality and abide by a user’s preferences. For example, in the U.S., the 2003 CAN-SPAM Act states that businesses must offer clear instructions on how the recipient can remove themselves from the involved mailing list and that request must be honored within 10 days.
Note: Many countries have laws similar to the CAN-SPAM Act, although with privacy protection ranging the privacy spectrum from very little to a lot more protection.
The unsubscribe feature does not have to be a URL link, but it does have to be an “internet-based way”. The most popular alternative method besides a URL link is an email address to use. In some cases, there are specific instructions you have to follow, such as put “Unsubscribe” in the subject of the email. Other times you are expected to craft your own message. Luckily, most of the time simply sending any email to the listed unsubscribe email address is enough to remove your email address from the mailing list.
In rare cases, in violation of the law, some vendors only provide a mailing address or phone number. A minority of legitimate vendors do not include an unsubscribe feature in their email or obscure it so much (e.g., in a tiny font mixed up in other tiny text at the end of the email) that it might as well be missing. But in general, most legitimate business emails include an unsubscribe link (although it is not always obvious), and if you follow the link, you can get taken off that business’s email list.
Unfortunately, unsubscribing does not mean that the company has to remove you from any mailing lists they already gave or sold to other third parties, only that they cannot include your email address going forward from the moment you completed the unsubscribe action. Sometimes the resale of your email address happens so fast that unsubscribing does not prevent your email address from being used by dozens of other third parties.
It is also not unheard of for a legitimate vendor to ignore your unsubscribe request, even if they appear to give you a way to do it. Some obviously have broken processes or a poorly performing third party that supposedly handles it for them, but other vendors seem to knowingly skirt the law by claiming ignorance. There is a huge loophole in the CAN-SPAM Act that says that a vendor can continue to reach out to you if the email is “transactional or relationship”, meaning the vendor is responding to a recipient’s invited transaction or ongoing relationship. It is amazing how many vendors I have never done business with think their uninvited email is “transactional” or a continuation of our “relationship”.
Violations of the CAN-SPAM Act can cost senders up to $50,120 per violation. If you cannot get the vendor to stop sending you unwanted emails, go here.
But if you know or suspect the email is coming from a non-legitimate vendor, clicking on any unsubscribe feature is hit or miss. Some of the spam senders consider themselves legitimate businesses and will offer and abide by the unsubscribing rule of their (or their recipient’s home) country. Most will not. Most of the time, clicking on a fraudster’s unsubscribe feature will simply confirm your email address is valid and active and this will likely result in your email appearing for sale in cybercriminal forums for years.
In summary, yes, click on those unsubscribe features when included in legitimate emails from legitimate vendors, but not if the email appears to be from a spam marketer or phishing scam artist.