This is an opinion piece based on real events.
It's a tale as old as Unix time. You never asked for these marketing e-mails -- you never select that checkbox out of principle! And yet, companies simply ignore it and send you unwanted communication.
Most marketing e-mails nowadays have a convenient Unsubscribe link at the bottom. Well, maybe not convenient; maybe it's 5pt light gray font, but it's usually there! You click, maybe sometimes you need to confirm with a button, and that's that.
The bad, the ugly!
Some companies require users to sign-in to modify their notification settings. The reason is obvious - this adds just enough friction that a lot of users don't bother and leave it as it is. But many will indeed try to sign-in and unsubscribe.
If a user is ready to sever their relationship with a company, they already deem it very low value. They are very unlikely to watch out for the usual phishing e-mail tricks like suspicious URLs or the e-mail of the sender. Their defenses are likely to be relaxed because it's a low risk action. So when the company asks for their login credentials, they might just provide them without thinking.
By requiring users to sign-in before they can unsubscribe from unwanted e-mails, these companies are normalizing this behaviour. A well crafted phishing marketing e-mail could lead to credential theft. Not only is this poor design and a dark pattern, this is a security risk!
Call to action
When an unsubscribe link asks me to authenticate, I close the tab and mark the message as spam.
I do this deliberately, and I strongly suggest others to do the same. Requiring credentials for a low-value action trains users to associate marketing emails with login prompts, which is indistinguishable from common phishing techniques. Once that pattern is normalized, credential harvesting becomes easier.
This is the feedback loop companies create for themselves. If enough users follow my approach, it reduces sender reputation and harms email deliverability across major providers.
Top comments (0)