I have several managers that get themselves on email lists either from trade shows they go on, downloading white papers, etc. They now want to unsubscribe to these emails. Obviously I can’t give a blanket statement that those links are safe, and these users are not always the most cautious with checking BEFORE they click. How do you handle that?
If it’s from a vendor they know and they’ve interacted with in the past (e.g., trade show as you suggested), then I recommend that they use the unsubscribe link. I much prefer that to marking it as junk. I might modify that policy a bit as we get into the KnowBe4 anti-phishing program deeper although the training should make it safer for people to confirm that these links are good before they click.
I understand your concerns. Unfortunately here the only blanket statement you can make is don’t click on links and you won’t get into trouble. If your users really can’t be bothered to make note of what they sign up for, then I suggest going the mark as spam route. It is not the end of the world.
You should use the same process as you do for every other email to assess that the email is from the actual vendor not a phish. If it passes the Knowb4 training muster test, then use the link, otherwise I would either mark it spam if it’s a phish or true spam, but if it’s a legitimate vendor and the unsubscribe link is not an option, e.g. you’ve opted to unsubscribe but they still email you (happens to me all the time, very frustrating, some of them only update the recipients list once a month and you could be getting 3 more weekly emails that month after unsubscribing - annoying!) then mark it junk. I don’t like marking it as spam if it’s a legitimate vendor as that can unnecessarily damage their ability to conduct legitimate business via email. We’re a vendor, I wouldn’t want someone doing it to me.
It is a hard one, even magazine style subscriptions I have via email such as Tech Target, Computer Weekly and other InfoSec websites grab your email address and share it with others whenever I download a whitepaper or want access to some particular news article. I tend to read the fine print and check/uncheck any boxes to try and minimise spam from related unknown companies but never click unsubscribe if I do not know them as this may lead to more trouble.
I dare say I am hoping for a lot to think that this rubbish practice will stop after 25th May 2108. One method I use to reduce this inconvenience is to use a burner email address for those one off subscriptions so even if a load of spam is potentially coming my way after a couple of days the email address doesn’t exist anymore.
Thank you for your responses! Definitely helpful.
I would agree with others, they only way they can unsubscribe is by clicking on the unsubscribe option at the bottom of the email. With them having to do it they may be a bit more careful about what they sign up to but I doubt it!
I see this thread is quite old now but I thought I might share some new developments around this conversation for those who pick it up.
Even legitimate subscriptions can get you pwned, as many of you may now be aware, the verifications.io breach is now loaded into Troy Hunt’s haveibeenpwned service and I was notified that my company email was in that breach. Now my work email is used way more cautiously than my personal email when giving it out so I can only assume that verifications.io was used by one of the work related sites or services I use, and even though I am usually hyper diligent about terms & conditions and privacy policies I cannot find which one uses them. It may be that they are not specifically listed and this is one of the things that GDPR was set to stamp out but hasn’t.
Great to see you back posting on the forum! Your posts are always insightful. Interesting question in light of GDPR. Had not thought about mail verifications services.–but presumably they are just like any other service provider under GDPR regs and subject to the right to be forgotten rule.
Thank you you are too kind. Yes I imagine they are but if you don’t know you are in a list provided to any given organisation then you can’t ask to be removed. In any case as the breach has occured its too late. Ironically all it means for me is more spam, It’s a good job I like spam especially spam fritters lol.
Matt, have you had a chance to view the new Inside Man video series trailer snd Episode 1? I’ve created a new category here for discussion. Category on left sidebar toward bottom. Love to hear your comments.
Hello Howard, thank you for letting me know about this, it would be nice to watch them, unfortunately while I am a member of this forum I am not a Knowbe4 customer and therefore cannot access the content.
The trailer and Episode 1 are free previews for all – not just KnowBe4 customers so they can be viewed! I’d love the feedback (I binged watched the series) and they are almost Netflix quality. Ground breaking for a Security Awareness training video.
I reasoned that on their side of the argument that it is probably fair to say most consumers, even in today’s GDPR world will still tick the box even if they have not read these terms/policies because they want the products being sold and whether they agree or not if they want the items they have no choice except to go to another supplier who equally have their own similar terms and policies.
The inclusion of the tick box is there to try and help consumers understand they are entering into a legally binding contract to buy a product or service not to obtain consent for processing their details which is done under contract not consent. So from a minimalist point of view as long as they reword the statement to something along the lines of “by proceeding to click the next button, you are automatically agreeing” and still prominently provide links to both documents then I am happy for them to make the changes if indeed clicking a check box causes friction, they would have to provide me solid evidence of this. Part of me thinks all they are doing is being a lemming and following the pied piper (sorry that’s rather negative isn’t it)
We spent some time debating internally how we should update things for GDPR relating to policies and consent for marketing, tracking data flows etc and for some of this work to be undone/revert back to days of old seems a little bit like “Why did we bother”. I for one thinks this minor cosmetic content change actually can be seen as an attempt by our organisation to be trusted.
Good question. I was in the ecommerce field for many years on the marketing be side so I know the friction argument well. Let’s see what others have to say.