07.06.26

Don’t click “unsubscribe” in a spam email: How to avoid phishing, malware, and inbox-targeting scams

That “unsubscribe” link at the bottom of a shady email can look harmless, but in the wrong message, clicking it can make things worse instead of better. Cybersecurity experts generally recommend a simple rule: if the email looks suspicious, don’t click anything in it — including unsubscribe links. The safer move is usually to mark the message as spam or junk and delete it. FTC phishing guidance NIST phishing guidance [consumer.ftc.gov], [nist.gov]

Why is the unsubscribe button risky in spam email?

In a legitimate marketing email from a company you recognize, the unsubscribe link is usually there because U.S. law requires commercial senders to offer an opt-out method. The FTC’s CAN-SPAM guidance says compliant commercial email must include a clear way to stop future marketing messages.

But spam and phishing emails are different. Attackers can use fake unsubscribe links to:

  • Confirm that your email address is active and monitored
  • Redirect you to a phishing page or malware-laced website
  • Trick you into entering your password or other personal information

That is why NIST specifically advises people not to click any link in a phishing email, including unsubscribe.

How common are phishing emails right now?

This is not a niche problem. According to the FBI’s 2024 Internet Crime Report, phishing/spoofing generated 193,407 complaints in 2024, making it one of the most reported cybercrime categories in the United States.

The FTC also says email was the top method scammers used to contact people in 2024, which is a good reminder that your inbox is one of the main places criminals try to trick you.

When is it okay to unsubscribe?

If the message is clearly from a business you know, expected, and trust — like a retailer you actually signed up with — unsubscribing can be reasonable. The FTC notes that legitimate commercial emails are supposed to include a working opt-out method.

A good test is this:

  • You recognize the sender and expected the email.
  • The email is not creating panic or urgency.
  • You can verify the company independently through its real website.

If any of those are missing, treat the email as suspicious.

What should you do instead of clicking unsubscribe?

If the message looks spammy or suspicious, do this:

  • Mark it as spam or junk so your email provider learns to filter similar messages.
  • Do not click links or download attachments in unexpected emails.
  • Report phishing emails to your provider or forward them to the Anti-Phishing Working Group if appropriate.
  • Delete the message after reporting it.

How can you reduce spam and phishing risk long term?

A few smart habits go a long way:

  • Use strong spam filters from major email providers.
  • Turn on two-factor authentication for important accounts.
  • Be skeptical of emails that ask you to act fast, log in, or “fix” an account problem
  • Visit companies directly through your browser instead of email links.

The bottom line

The unsubscribe button is fine in a real marketing email from a trusted sender. But in spam or phishing email, it can be a trap. If the message feels off, don’t interact with it. Mark it as spam, report it, and move on. That one small habit can help protect your inbox, your passwords, and your identity.