Special Offer: All students, parents, & educators get 50% off tech support for the entire school year. Select the Support - Annual plan and enter code “EdTech50” during checkout.

How to Tell if Email Attachments are Safe or a Virus

Authored by:
Support.com Tech Pro Team
This Guided Path® was written and reviewed by Support.com’s Tech Pro team. With decades of experience, our Tech Pros are passionate about making technology work for you. We love feedback! Let us know what you think about this Guided Path® by rating it at the end.

"You are hereby notified that you must vacate your home within a ten-day period. The bank has already foreclosed on your residential property and you are a trespasser now. Please find our contact information and the bank statement attached to this notice."

We've all had phishing emails like the one above appear in our Inbox. Hackers use language to cause alarm, hoping victims stop thinking long enough to get suckered in. They have an advantage because most users will trust and open emails that come from someone they know. Clever methods are used to hide the fact that the attached files contain malicious links and viruses.

How do I know if an email attachment is safe? Can opening an email cause a virus? Is it safe to open Microsoft Office files from a friend? Which file extensions are safe to open? Which file types should never be opened? How can I tell if an email is a phishing scam? Should I do anything after I download a file? Is there a procedure or checklist to follow?

Email attachments are one of the most common ways to get malware. Nobody wants themselves, their loved ones to become a victim of a scam. Business owners want to protect systems from malware and data breaches. Fortunately, there are effective and straightforward steps to help anyone become a pro at spotting nasty attachments.

How to Tell If an Email Attachment Is Safe

Open the email

email with attachment in inbox
How can I tell if the attachment in the email I just got is safe or not? The message in my inbox appears to be something important from Apple. The subject gives the impression that there was an account change. There's also an attached Word document titled "Apple-locked" something. The attachment could be a virus, but I'm not sure. What do I do?

Don't open the attachment just yet. We need to open and verify the email first.

It's relatively safe to open an email from the outset. In the past this was considered an unsafe practice because email messages could contain scripts. JavaScript could make online mail more interactive, but also allowed hackers to insert nasty code. These days, email clients no longer support scripting. Most will even prohibit images from being shown if the sender is an unknown source.

Click or tap the email to open it for review. There's no way to verify without opening the email, so just do it.

Look at who sent the email

Checking the sender information before opening attachments is the first step. Recognizing the sender may not be enough however, as shown later in this guide.

Double-check the sender's email address

To indicate where a message came from, an email client will typically show the sender's address near the top. The address will have a display name for the sender, which is followed by the specific address in angled brackets. For example: John Smith <john.smith@example.org>.

name and email address

In some email clients, the display name is shown but not the address. Hackers use this advantage and put legit email addresses in the display name to fool the recipient. Always tap to reveal the full sender information. This is not uncommon on Android smartphones and tablets, iPhones, iPads and other mobile devices.

example phishing email on android phone

Don't open unexpected attachments, even if the sender is legit

Email accounts can be compromised. When I receive an email with a weird looking attachment, I'll email or talk to the sender. If they got hacked, they'll appreciate knowing so they can get their account back. They can also get in touch with anybody else on their contact list who may have received such an email.

Email addresses can also be spoofed. Email spoofing is where the sender address is forged. This type of phishing attack is designed to gain the reader's trust. They then seek to steal personal information, infect devices with viruses or to ask for money.

Only open email attachments that are expected. If the message seems suspicious, it's okay to ask the sender about it. The same advice applies for clicking links and replying to an email.

Look at the file type on the attached file


What is a file type? It's a name that's given to a certain kind of computer file. Think of documents, images, videos, executables, zip archives and the like. There are hundreds of different kinds and some file extensions are more common than others.

Attachments or files can contain ransomware, trojans, adware, botnets and other types of malicious code. Not all file types are dangerous, though. Certain file types need to be put under more scrutiny than others.

File types that should never be run

Never run files with any type of executable extension on it, or at least use extreme caution. These file types can contain malware and viruses in their coding. Watch for the following file extensions:

.ade  .adp  .asf  .bas  .bat  .chm  .cmd  .com  .cpl  .crt  .exe  .hlp  .hta  .inf  .ins  .isp  .jar  .js  .jse  .lnk  .mdb  .mde  .mov  .msc  .msi  .msp  .mst  .pcd  .pif  .psc1  .reg  .scr  .sct  .shs  .swf  .url  .vb  .vbe  .vbs  .wsc  .wsf  .wsh

File types to be careful around

Microsoft Office files and PDFs can contain hidden macros and scripts. The scripts can run if the user hits "allow macros" on the document. From there, the macro may install keyloggers or other types of malware. Office documents and PDFs can contain malicious links as well. Watch for these extensions:

.docx  .xlsx  .pptx  .pdf

A compressed file is any file that contains one or more files or directories. The contents, once extracted, are larger than the compressed version. Anti-virus software can have difficulty scanning the contents of these files, especially if they're password protected or encrypted. As a result, they may contain viruses. Most users only think about the .zip extension when asked about compressed files. There are other types of compressed out there. Here are some examples:

.zip  .rar  .7z  .arj  .cab  .pkg  .tar.gz  .tgz

File types that should be safe

Music, images and videos are generally considered okay to open. Extensions in this category are:

.mp3  .wav  .flac  .aac  .gif  .jpg  .jpeg  .tif  .tiff  .mov  .mp4  .mpg  .mpeg

Interestingly, .txt files are totally safe. Just watch out for the double-extension trick!

Watch out for double-extensions

One gimmick a hacker may try to use is called the double-extension trick. Even though it is a huge security risk, Microsoft and Apple both hide file extensions by default. The image001.jpg file sitting in the downloads folder may look innocent enough. I may be unaware the full filename is actually image001.jpg.exe. If I open it, it'll run as an executable.

image001.jpg.exe

To counter this, some use risky techniques like looking at the file's icon to see if it makes sense. The thinking is that if the file looks like an image, then it's likely an image. This can work sometimes, but this can be easily faked by hackers. If there's any question, check the file's properties by right-clicking the file. This can be done in Windows, on a Mac and most other operating systems.

file properties

Make sure the email isn't spam

Before downloading an attachment, make sure it isn't spam or some type of phishing attack. Phishing attacks are something to always be on the lookout for, particularly in email.

Hackers send a constant barrage of official looking emails with alarming subject lines in order to lure victims in. They are great impersonators. Who wouldn't be alarmed when receiving an email from PayPal saying their account is limited? Or that an unknown device has been using my account? Thieves know exactly how to manipulate people because it works.

Example phishing email

The best advice here is to look the email over before reacting. Challenge it. Hackers are constantly coming up with new tricks to steal data, so keep an eye out for these signs:

  • Does it have any typographical errors? Watch out for spelling errors, improper use of punctuation, grammar mistakes or odd phrasing.
  • Mouse over links to inspect them and see if they link to sketchy websites. Clicking malicious links can bring the user to a forged website that will steal passwords.
  • Give special attention to the email address to make sure it seems legitimate. The name may say "PayPal Customer Service", but if the email address says roberta@thanksforyourcreditcard.com, then somebody may be trying to phish you.
  • Does the email ask you to log in or provide your password?
  • Are there any unusual demands for money?

If I have any doubt as to whether the email is a scam or not, I don't click links or download attachments. It's as simple as that.  It's better to type the address in myself, log in and verify. Worst case, I'll call the organization before clicking.

Download the file

When I feel comfortable that a file passes the quick safety checks, I'll download it. If there's any lingering worry, the file can be manually scanned by an up-to-date anti-virus program. As an extra precaution keep the operating system (Windows, Mac, etc.), mail clients, PDF readers, and virus protection updated. Never disable an anti-virus when trying to open an attachment.

Additional strategies that help

Here are more ideas to use to keep safe from malicious email attachments:

  1. Because some viruses need "administrator" rights to infect a computer, consider reading email in an account with restricted privileges. Most operating systems give the option of creating multiple user accounts with different privileges.
  2. Install Internet Security software. Internet Security is not the same thing as an anti-virus. Anti-virus protects a computer from viruses. Internet Security protects against Internet threats like spam, phishing, spyware, viruses, email attachments, and so on.
  3. If a system becomes infected, remove the virus. Scanning the computer with an anti-virus is a good first step. Some infections need to be removed with specialized tools and skill set, though.
  4. Delete any messages and attachments you aren’t sure about.
  5. Guard against phishing attacks by making sure online personal information is safe. 

Conclusion

There are many threats awaiting in the Inbox. One could worry that their loved ones are at risk of being taken in by a phishing scam or getting infected. For peace of mind, share and follow these generally accepted email security practices.

We're here to help!

chat
Connect to a Tech Pro

Call or chat with a Tech Pro 24/7.

"You are hereby notified that you must vacate your home within a ten-day period. The bank has already foreclosed on your residential property and you are a trespasser now. Please find our contact information and the bank statement attached to this notice."

We've all had phishing emails like the one above appear in our Inbox. Hackers use language to cause alarm, hoping victims stop thinking long enough to get suckered in. They have an advantage because most users will trust and open emails that come from someone they know. Clever methods are used to hide the fact that the attached files contain malicious links and viruses.

How do I know if an email attachment is safe? Can opening an email cause a virus? Is it safe to open Microsoft Office files from a friend? Which file extensions are safe to open? Which file types should never be opened? How can I tell if an email is a phishing scam? Should I do anything after I download a file? Is there a procedure or checklist to follow?

Email attachments are one of the most common ways to get malware. Nobody wants themselves, their loved ones to become a victim of a scam. Business owners want to protect systems from malware and data breaches. Fortunately, there are effective and straightforward steps to help anyone become a pro at spotting nasty attachments.

How to Tell If an Email Attachment Is Safe

Open the email

email with attachment in inbox
How can I tell if the attachment in the email I just got is safe or not? The message in my inbox appears to be something important from Apple. The subject gives the impression that there was an account change. There's also an attached Word document titled "Apple-locked" something. The attachment could be a virus, but I'm not sure. What do I do?

Don't open the attachment just yet. We need to open and verify the email first.

It's relatively safe to open an email from the outset. In the past this was considered an unsafe practice because email messages could contain scripts. JavaScript could make online mail more interactive, but also allowed hackers to insert nasty code. These days, email clients no longer support scripting. Most will even prohibit images from being shown if the sender is an unknown source.

Click or tap the email to open it for review. There's no way to verify without opening the email, so just do it.

Look at who sent the email

Checking the sender information before opening attachments is the first step. Recognizing the sender may not be enough however, as shown later in this guide.

Double-check the sender's email address

To indicate where a message came from, an email client will typically show the sender's address near the top. The address will have a display name for the sender, which is followed by the specific address in angled brackets. For example: John Smith <john.smith@example.org>.

name and email address

In some email clients, the display name is shown but not the address. Hackers use this advantage and put legit email addresses in the display name to fool the recipient. Always tap to reveal the full sender information. This is not uncommon on Android smartphones and tablets, iPhones, iPads and other mobile devices.

example phishing email on android phone

Don't open unexpected attachments, even if the sender is legit

Email accounts can be compromised. When I receive an email with a weird looking attachment, I'll email or talk to the sender. If they got hacked, they'll appreciate knowing so they can get their account back. They can also get in touch with anybody else on their contact list who may have received such an email.

Email addresses can also be spoofed. Email spoofing is where the sender address is forged. This type of phishing attack is designed to gain the reader's trust. They then seek to steal personal information, infect devices with viruses or to ask for money.

Only open email attachments that are expected. If the message seems suspicious, it's okay to ask the sender about it. The same advice applies for clicking links and replying to an email.

Look at the file type on the attached file


What is a file type? It's a name that's given to a certain kind of computer file. Think of documents, images, videos, executables, zip archives and the like. There are hundreds of different kinds and some file extensions are more common than others.

Attachments or files can contain ransomware, trojans, adware, botnets and other types of malicious code. Not all file types are dangerous, though. Certain file types need to be put under more scrutiny than others.

File types that should never be run

Never run files with any type of executable extension on it, or at least use extreme caution. These file types can contain malware and viruses in their coding. Watch for the following file extensions:

.ade  .adp  .asf  .bas  .bat  .chm  .cmd  .com  .cpl  .crt  .exe  .hlp  .hta  .inf  .ins  .isp  .jar  .js  .jse  .lnk  .mdb  .mde  .mov  .msc  .msi  .msp  .mst  .pcd  .pif  .psc1  .reg  .scr  .sct  .shs  .swf  .url  .vb  .vbe  .vbs  .wsc  .wsf  .wsh

File types to be careful around

Microsoft Office files and PDFs can contain hidden macros and scripts. The scripts can run if the user hits "allow macros" on the document. From there, the macro may install keyloggers or other types of malware. Office documents and PDFs can contain malicious links as well. Watch for these extensions:

.docx  .xlsx  .pptx  .pdf

A compressed file is any file that contains one or more files or directories. The contents, once extracted, are larger than the compressed version. Anti-virus software can have difficulty scanning the contents of these files, especially if they're password protected or encrypted. As a result, they may contain viruses. Most users only think about the .zip extension when asked about compressed files. There are other types of compressed out there. Here are some examples:

.zip  .rar  .7z  .arj  .cab  .pkg  .tar.gz  .tgz

File types that should be safe

Music, images and videos are generally considered okay to open. Extensions in this category are:

.mp3  .wav  .flac  .aac  .gif  .jpg  .jpeg  .tif  .tiff  .mov  .mp4  .mpg  .mpeg

Interestingly, .txt files are totally safe. Just watch out for the double-extension trick!

Watch out for double-extensions

One gimmick a hacker may try to use is called the double-extension trick. Even though it is a huge security risk, Microsoft and Apple both hide file extensions by default. The image001.jpg file sitting in the downloads folder may look innocent enough. I may be unaware the full filename is actually image001.jpg.exe. If I open it, it'll run as an executable.

image001.jpg.exe

To counter this, some use risky techniques like looking at the file's icon to see if it makes sense. The thinking is that if the file looks like an image, then it's likely an image. This can work sometimes, but this can be easily faked by hackers. If there's any question, check the file's properties by right-clicking the file. This can be done in Windows, on a Mac and most other operating systems.

file properties

Make sure the email isn't spam

Before downloading an attachment, make sure it isn't spam or some type of phishing attack. Phishing attacks are something to always be on the lookout for, particularly in email.

Hackers send a constant barrage of official looking emails with alarming subject lines in order to lure victims in. They are great impersonators. Who wouldn't be alarmed when receiving an email from PayPal saying their account is limited? Or that an unknown device has been using my account? Thieves know exactly how to manipulate people because it works.

Example phishing email

The best advice here is to look the email over before reacting. Challenge it. Hackers are constantly coming up with new tricks to steal data, so keep an eye out for these signs:

  • Does it have any typographical errors? Watch out for spelling errors, improper use of punctuation, grammar mistakes or odd phrasing.
  • Mouse over links to inspect them and see if they link to sketchy websites. Clicking malicious links can bring the user to a forged website that will steal passwords.
  • Give special attention to the email address to make sure it seems legitimate. The name may say "PayPal Customer Service", but if the email address says roberta@thanksforyourcreditcard.com, then somebody may be trying to phish you.
  • Does the email ask you to log in or provide your password?
  • Are there any unusual demands for money?

If I have any doubt as to whether the email is a scam or not, I don't click links or download attachments. It's as simple as that.  It's better to type the address in myself, log in and verify. Worst case, I'll call the organization before clicking.

Download the file

When I feel comfortable that a file passes the quick safety checks, I'll download it. If there's any lingering worry, the file can be manually scanned by an up-to-date anti-virus program. As an extra precaution keep the operating system (Windows, Mac, etc.), mail clients, PDF readers, and virus protection updated. Never disable an anti-virus when trying to open an attachment.

Additional strategies that help

Here are more ideas to use to keep safe from malicious email attachments:

  1. Because some viruses need "administrator" rights to infect a computer, consider reading email in an account with restricted privileges. Most operating systems give the option of creating multiple user accounts with different privileges.
  2. Install Internet Security software. Internet Security is not the same thing as an anti-virus. Anti-virus protects a computer from viruses. Internet Security protects against Internet threats like spam, phishing, spyware, viruses, email attachments, and so on.
  3. If a system becomes infected, remove the virus. Scanning the computer with an anti-virus is a good first step. Some infections need to be removed with specialized tools and skill set, though.
  4. Delete any messages and attachments you aren’t sure about.
  5. Guard against phishing attacks by making sure online personal information is safe. 

Conclusion

There are many threats awaiting in the Inbox. One could worry that their loved ones are at risk of being taken in by a phishing scam or getting infected. For peace of mind, share and follow these generally accepted email security practices.