What is your policy on the Unsubscribe link in email messages?

I have several managers that get themselves on email lists either from trade shows they go on, downloading white papers, etc. They now want to unsubscribe to these emails. Obviously I can’t give a blanket statement that those links are safe, and these users are not always the most cautious with checking BEFORE they click. How do you handle that?

If it’s from a vendor they know and they’ve interacted with in the past (e.g., trade show as you suggested), then I recommend that they use the unsubscribe link. I much prefer that to marking it as junk. I might modify that policy a bit as we get into the KnowBe4 anti-phishing program deeper although the training should make it safer for people to confirm that these links are good before they click.

I understand your concerns. Unfortunately here the only blanket statement you can make is don’t click on links and you won’t get into trouble. If your users really can’t be bothered to make note of what they sign up for, then I suggest going the mark as spam route. It is not the end of the world.

You should use the same process as you do for every other email to assess that the email is from the actual vendor not a phish. If it passes the Knowb4 training muster test, then use the link, otherwise I would either mark it spam if it’s a phish or true spam, but if it’s a legitimate vendor and the unsubscribe link is not an option, e.g. you’ve opted to unsubscribe but they still email you (happens to me all the time, very frustrating, some of them only update the recipients list once a month and you could be getting 3 more weekly emails that month after unsubscribing - annoying!) then mark it junk. I don’t like marking it as spam if it’s a legitimate vendor as that can unnecessarily damage their ability to conduct legitimate business via email. We’re a vendor, I wouldn’t want someone doing it to me.

It is a hard one, even magazine style subscriptions I have via email such as Tech Target, Computer Weekly and other InfoSec websites grab your email address and share it with others whenever I download a whitepaper or want access to some particular news article. I tend to read the fine print and check/uncheck any boxes to try and minimise spam from related unknown companies but never click unsubscribe if I do not know them as this may lead to more trouble.

I dare say I am hoping for a lot to think that this rubbish practice will stop after 25th May 2108. One method I use to reduce this inconvenience is to use a burner email address for those one off subscriptions so even if a load of spam is potentially coming my way after a couple of days the email address doesn’t exist anymore.

Thank you for your responses! Definitely helpful.

I would agree with others, they only way they can unsubscribe is by clicking on the unsubscribe option at the bottom of the email. With them having to do it they may be a bit more careful about what they sign up to but I doubt it!

I see this thread is quite old now but I thought I might share some new developments around this conversation for those who pick it up.

Even legitimate subscriptions can get you pwned, as many of you may now be aware, the verifications.io breach is now loaded into Troy Hunt’s haveibeenpwned service and I was notified that my company email was in that breach. Now my work email is used way more cautiously than my personal email when giving it out so I can only assume that verifications.io was used by one of the work related sites or services I use, and even though I am usually hyper diligent about terms & conditions and privacy policies I cannot find which one uses them. It may be that they are not specifically listed and this is one of the things that GDPR was set to stamp out but hasn’t.

Great to see you back posting on the forum! Your posts are always insightful. Interesting question in light of GDPR. Had not thought about mail verifications services.–but presumably they are just like any other service provider under GDPR regs and subject to the right to be forgotten rule.

Thank you you are too kind. Yes I imagine they are but if you don’t know you are in a list provided to any given organisation then you can’t ask to be removed. In any case as the breach has occured its too late. Ironically all it means for me is more spam, It’s a good job I like spam especially spam fritters lol.

Matt, have you had a chance to view the new Inside Man video series trailer snd Episode 1? I’ve created a new category here for discussion. Category on left sidebar toward bottom. Love to hear your comments.

Hello Howard, thank you for letting me know about this, it would be nice to watch them, unfortunately while I am a member of this forum I am not a Knowbe4 customer and therefore cannot access the content.

Best regards

The trailer and Episode 1 are free previews for all – not just KnowBe4 customers so they can be viewed! I’d love the feedback (I binged watched the series) and they are almost Netflix quality. Ground breaking for a Security Awareness training video.

Here’s a good conversation recently had between myself and the DPO team in and around subscribe/unsubscribe - So our marketing dept have this idea that our message on our shopping basket page relating to agreeing to our T’s & C’s and reading our privacy policy is too long and puts people off (creating friction) because we get them to tick a box. Their argument is that the other big players out there like Amazon and AO for example don’t do it, why should we.

I reasoned that on their side of the argument that it is probably fair to say most consumers, even in today’s GDPR world will still tick the box even if they have not read these terms/policies because they want the products being sold and whether they agree or not if they want the items they have no choice except to go to another supplier who equally have their own similar terms and policies.

The inclusion of the tick box is there to try and help consumers understand they are entering into a legally binding contract to buy a product or service not to obtain consent for processing their details which is done under contract not consent. So from a minimalist point of view as long as they reword the statement to something along the lines of “by proceeding to click the next button, you are automatically agreeing” and still prominently provide links to both documents then I am happy for them to make the changes if indeed clicking a check box causes friction, they would have to provide me solid evidence of this. Part of me thinks all they are doing is being a lemming and following the pied piper (sorry that’s rather negative isn’t it)

On my side of the fence I think that doing it the way we do it and trying to draw attention to the legal bit is our way of being a little more open and in GDPR speak more transparent and forthcoming. Our privacy policy in particular while not detailed to the nth degree is reasonably constructed and attempts to be as consumer friendly as possible. I am forever tweaking it.

We spent some time debating internally how we should update things for GDPR relating to policies and consent for marketing, tracking data flows etc and for some of this work to be undone/revert back to days of old seems a little bit like “Why did we bother”. I for one thinks this minor cosmetic content change actually can be seen as an attempt by our organisation to be trusted.

Good question. I was in the ecommerce field for many years on the marketing be side so I know the friction argument well. Let’s see what others have to say.

Larry Abrams at Bleeping Computer had an interesting alert on its website about an old email trick come back to life. The article is titled "Beware of Emails Asking You to “Confirm Your Unsubscribe” Request.


This is a long-running scam email campaign that pretends to be an unsubscribe confirmation request has seen an uptick recently. These emails should never be clicked on or responded to as they are designed to harvest working email addresses or to perform some other type of scam.

"Over the past week, BleepingComputer has seen a constant stream of emails with subjects like “Confirm your unsubscribe request” or "Client #980920318 To_STOP_Receiving These Emails From Us Hit reply And Let Us Know
“. While this is an long-running email scam, this is the first time we encountered them, so we thought we should issue an alert.”

Unlike normal unsubscribe notifications, these scam emails do not contain any indication of what you are unsubscribing from and simply state:
Please_confirm your Unsubscribe
To confirm your Unsubscribe, please click here or on the link below.
Unsubscribe me!
Thank you!


There are several "red flags that should be triggered… No indication of what organization notifications from whom you are unsubscribing from. Email headers are from unknown source.
If you do click on the unsubscribe box it loads from 15-20 email addresses from which turn out to be from domains hosted by noip.com’s free dynamic DNS service. It then puts Unsubscribe in the subject line. Sending the message is thought to be a for the scammers to know they have a live email address. Armed with that knowledge you could be phished, or offered bogus offers or any of a number of social engineering ploys. So don’t do this! Delete.

Our Knowbe4 users have looked at the plus and minuses of establishing a no unsubscribe policy and it was a popular topic here for years. Each organization makes its own policy on this. Many users create a burner email address to direct all subscriptions too. Some users feel unsubscribing is a pain and a risk so just DEL them and send them into oblivion. On the other side of the coin there are many great publications or products out there that have great value and unfortunately they are hurt by the actions of bad actors. Do you have a policy to share?

More about this scam here:

Featured Webinars

Advanced Phishing and

Monday 1:30 PM – 2:30 PM
» Learn More
Outlook Phish Alert Button
Tuesday 1:30 PM – 2:30 PM
» Learn More
Customizing Phishing Templates, Landing Pages, & Training Notifications
Wednesday 1:30 PM – 2:30 PM
» Learn More
Active Directory Integration
(ADI) Setup

Thursday 1:30 PM – 2:30 PM
» Learn More

Friday 1:30 PM – 2:30 PM
» Learn More

Privacy Policy | Terms of Service