Many online scammers are adopting increasingly sophisticated strategies to trick their unsuspecting victims. While these now include everything from deepfaked audio to AI generated images, other bad actors continue to rely on comparatively simple methods for gleaning personal information or funds from targets. The past few years have also seen an uptick in phishing schemes disguised as unpaid highway toll text message alerts. But another equally mundane strategy frequently lurks in your email inbox: fake unsubscription links.

When “Unsubscribe” is untrustworthy

Most reputable bulk email chains like newsletters, online shopping promotions, streaming service updates, and charity fundraiser requests include an option to unsubscribe from future messages—usually in the form of a hyperlink button at the bottom of the email. By and large, this still remains a comparatively safe and easy way to whittle away at that mountain of unread inbox messages (or at least try to). However, digital experts caution this isn’t always the case.

“Trust is relative. I trust my email client, but I don’t trust what’s inside the email,” Keanini, chief technology officer for the cybersecurity software company DNSFilter, told The Wall Street Journal earlier this month.

Keanini explained that anytime you click a link leading you out of your “safe, structured” email client, you’re automatically entering the open web. And that immediately poses its own unique security concerns.

DNSFilter estimates that 1 in every 644 email unsubscribe links is liable to send a user to possibly malicious sites. And while that might seem like a low percentage at first glance, try to count how many times you clicked “Delete” on junk or unwanted inbox messages in the last week alone.

Why scammers use emails as bait

So what’s the point of tricking people into thinking they’re finally digging themselves out of that avalanche of emails? It often provides an easy way for scammers to confirm that a real human being is overseeing a target email address. Not only that, but a real human being who is liable to interact with spam. While not immediately harmful in and of itself, this could put a bigger target on your online presence later.

Another, more directly problematic scenario is using a completely fake unsubscribe link to send you to a URL that looks fine, but is actually a front for stealing your login credentials. A good rule of thumb is knowing that no legitimate business will request your username and password after clicking their email’s unsubscription button.

This isn’t necessarily the case in situations that only prompt you to reenter your email address, however. The programming that underwrites unsubscription systems often hinges on a single link for all recipients. This means it won’t know who to remove until you key in your personal address. In those instances, it’s generally safe to take that extra step.

Tips for spotting scams

In general, it’s usually relatively easy to spot the scams in your inbox. For extra safety, users can often use “list-unsubscribe headers” instead. These hyperlinks are maintained by email-service providers and added into a message’s subject line or heading to offer a one-click breakup solution. This is frequently safer, since it keeps all your interactings within the email client and not the open web. 

If a list-unsubscribe header is not available, there’s always the “Mark as Junk” button for those  who prefer a more slash-and-burn strategy. 

Other suggestions include setting up dummy email accounts or taking advantage of Apple’s “Hide My Email” feature, or the similar tools on Google Chrome and Mozilla Firefox browsers.

You may never truly free yourself from the torrent of emails that plagues your inbox, but following these steps can at least put a dent in it while keeping your digital privacy intact.