3 Most Dangerous Email Attachments To Avoid

By now, almost anyone who uses email on a regular basis is aware some messages contain malicious links or social engineering attempts. But, what are the most dangerous types of email attachments? Would you know how to spot them, or how to prevent being victimized?

Why Infiltrate Email?

There are many answers to the question "Why would someone want to cause innocent people harm?" among them are:

  • Monetary gain
  • Because it's a challenge
  • For the love of causing mischief

Email scams and malicious content aren't going to disappear any time soon. But, knowing where your threats are coming from and how to spot them allows you to protect your personal information and bank accounts. Many are hidden threats, but they leave evidence that should make you suspicious, like their content and extensions. Many malicious attachments end in:

  • .exe, which is an executable file, usually used for installing software
  • .msi, which mimics authentic files from Microsoft
  • .js, which is the extension for JavaScript files that many platforms run automatically, and they can't tell good from faulty ones.

Here are the five top email threats that could be landing in your inbox soon if they aren’t already there. Most that didn’t make the list are just variations on a theme.


In case you've been living on a desert island without access to media, ransomware attacks were the new black last year. These cyber crimes allow hackers to take advantage of security vulnerabilities and hold your data hostage for money. It's like kidnapping your sensitive information, hence the name.

How Does it Work?

Thieves insert coding into emails and other formats via hidden files, links, or by altering existing code. It hides inside your system until you release it by opening a file containing the code. Once released, command lines lock you and other users out of their files and devices until the mastermind is paid for the unlock code or key. Whether they get paid or not, it’s likely you’ll end up still locked out of your files or they might be destroyed.

How to Protect Yourself

  • Install a firewall.
  • Don't open messages or click links from someone you don't know, and warn friends and business associates not open any or send them to you.
  • Use data leak protection mechanisms like private networks and encryption.
  • Update your anti-spam and anti-malware apps as soon as patches or updates are available.

Zero Day Exploits

Even the most meticulous coders and developers can inadvertently overlook security flaws. Many of these are caught and patched quickly, but there are people who do nothing but look for ways to infiltrate emails and networks. Once they're in, they can hijack sessions, insert coding to redirect your web traffic, or hold your information hostage.

How Does it Work?

The hacker tries various ways to get into databases or hijack sessions by finding and exploiting overlooked areas or those that have weak security. This can be from the end user or admin side. Once in, they insert code that's written to perform whatever mischief that's on their mind. Because these attacks hit hidden flaws, they're often not caught for months.

How to Protect Yourself

You can install updates for security patches as soon as they become available, and use industrial-strength privacy protections like VPNs. But, the most important thing you can do to prevent this kind of malicious email attack is to perform comprehensive pen testing to probe for hidden security flaws.

Social Engineering

No, this isn't the plot of some dystopian science fiction novel. It's a form of manipulation that involves deception and intrigue. The most common one was the "Nigerian Prince" scams that were created as a way to trick people into providing passwords, credit card or bank account numbers, and other sensitive information so they can steal your money and/or identity.

How Does it Work?

The potential thief sends carefully worded emails that are designed to make the victim think they've won money or are being given a golden and exclusive opportunity.

How to Protect Yourself

Always remember the adage "If something seems too good to be true, it probably is. It should go without saying that you never give someone you don't know money, airline tickets, or access to your bank account no matter how good their pitch. Ignore unsolicited sales offers.

Phishing and Spear Phishing

Phishing is a form of social engineering in that it uses trickery to convince the target to reveal personal or sensitive information. It's usually sent in bulk mailings in order to increase the number of successful responses. Spear Phishing is the same type of thing, but it targets individuals or organizations rather than random people. Often, the attacker will send an email that looks official, like a PayPal or Twitter letterhead

How Does it Work?

You get an email saying that there's a problem with an account or delivery of some merchandise you've supposedly ordered, and they need your password, credit card, or banking information to straighten it out. Some will ask you to click a link that's supposedly to an official website, but it really goes straight to them. When you try to log on to your account they record the keystrokes.

How to Protect Yourself

Compare recent legitimate correspondence with the suspicious one. You'll usually notice tiny differences in formatting or headings. You can also contact the company through a known official route and ask if they contacted you. Most companies will never ask for your password or credit card info.

Key Logging

Keyloggers are little programs hidden in the coding for videos or emails. They run quietly in the background and record your keystrokes as you go about your business. This tells them everything you type in during browsing sessions, including your passwords and private information.

How Does it Work?

The criminal sends a video or other content with instructions to click the link to see something cool or useful. Clicking the link gives them access to your accounts. This is also common on social media in the guise of chain letters or viral videos that are sent to your friends and contacts.

How to Protect Yourself

Don't open or spread chain mail. You should also avoid clicking on any link that looks suspicious. Immediately if not sooner, install a virtual private network (VPN). For around five bucks a month, the best VPN service providers encrypt your session information, including identity, activity, and personal information, making it appear as gibberish to anyone looking in.

Read the fine print when comparing the best VPNs, and don’t pull the trigger until you’ve carefully considered their data privacy policies. Some providers aren’t as dedicated to your anonymity as others and log user identities or sessions to sell to advertisers, or give to government agencies upon request.

Dishonorable Mention: Spam

Almost everyone knows what spam is. It's those unsolicited sales pitches that used to clutter up your inbox until providers introduced filters, right?

Well, yes and no. Spam certainly does flood many an unprotected inbox, but it's more than just the digital equivalent of annoying junk mail. It's also the most common delivery method for ransomware.

You can avoid spam by using an email provider that has up-to-date spam filters, adjusting your inbox settings, blocking bad actors or unknowns, and making sure that welcome senders are added to your contact list.

Final Thoughts

Email scams have been around almost as long as the messaging medium itself. Even someone who carefully applies best practices to all areas of their business can be fooled if the enticement is clever enough.

Scammers and cyber criminals are never going away, and neither is the need for email in business or personal correspondence. Your best bet is to keep abreast of the latest threats and variations, and take as many precautions as you can to protect your accounts. No matter how clever criminals become, there are measures you can take to reduce the chances of being the next victim.