Scam Bucket: Beware the ‘Unsubscribe’ button

Spam emails are annoying and most of us just ignore them, but every once in a while some might be willing to look for the “unsubscribe” button when there are multiple emails about the same thing over the course of a week. Hold that thought for a minute.

If you did sign up to receive email from that organization, and you want to stop, clicking on unsubscribe will bring up a web page that will identify your email address upfront. It may ask a few questions like, “Are you sure…” or offer to send fewer emails, but most often it will just say you are unsubscribed. Live your life with slightly less annoyance.

Targeting retirees

However, scammers use this “feature” to find victims, especially people who are or about to be retired. In the US they start flooding inboxes about Medicare supplementary insurance around the time that retirees can change their insurance. But the emails also come in forms of prize awards and other free stuff.

When a potential victim clicks on the button it launches a webpage asking to confirm the email address to be deleted from the list. The victim then types in their email address and clicks “confirm”. Congratulations! You’ve just been added to their list! Wait, no. You wanted to be taken off. What happened?

Getting your email address, or at least an email address you used to have, is easy. Every time you sign up for a new service, buy something online, join a social media platform, etc., you give permission for that organization to sell or share your information with others. Scammers buy those lists and then employ this method to confirm you are who you are.

AOL is still a verdant field of potential scam victims. Most people over 40 at one time had an AOL address and later switched to Gmail or some other, more secure, often transferring email to the new address through AOL. However, the metadata that included the transfer is part of what is sold in a list. So by purchasing the list they can find out the new email as well.

But Google does the same thing. So does AT&T, Comcast, Facebook, Twitter and on and on.

Finding the scammer

Go back to the email and look at who the email was sent to. There might even be a carbon copy address that’s different. Is it really yours? Probably not. The scammer has bought a list of emails and has sent emails with fake email addresses (see photo above) but put yours in the “blind carbon copy” or BCC list. So you won’t see your email unless you unlock the headers. Once you have typed in your real email address you confirm to the scammer that you are, in fact, a real and possibly gullible human being.

Related:   Is ‘API Security’ an oxymoron?

Don’t bother trying to find and report the scammer. We found that the URL associated with a scam email was purchased from a domain registrar, NameCheap, in Iceland. The registrar hides the identity of the owner. After they finish the scam, the registration will be canceled.

But selling you insurance or getting you to buy products, regardless of the ethics, is the least of the problem. This practice is also the first step in stealing identities. Seeing it merely as an annoyance is a mistake.

So what’s to be done

The simple solution is to just mark the email as spam on your email client. After a few times, your system will recognize the various elements and send all to the spam folder. You can delete it all after that.

Now it’s possible that you actually did sign up to receive emails. If you unsubscribe button from a legitimate organization they legally must delete your information. You won’t get another email from them…. until they buy a list from an organization you did sign up for. The circle will be unbroken, as the song goes.

Up to this point, all of this is absolutely legal because the victims agreed to the various terms and conditions users agree to. In the case of Medicare insurance, insurance agencies and insurance companies buy these lists all the time to market their services. It is, however, unethical. It only becomes illegal when the scammers try to defraud the victims with the information volunteered.

The best defense is to not do business with any organization you find that employs these “marketing” services. If enough people wise up, they will go out of business

Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.

Leave a Reply

Your email address will not be published. Required fields are marked *