It used to be scary easy, but not any more.
As long as you're using a relatively up-to-date email program or online email interface, you cannot get malware just by opening and looking at an email. For the record, most programs and interfaces are up-to-date. I'd be hard-pressed to find one that isn't these days.
In the beginning, the very concept was laughable. It just wasn't a way you'd get malware.
Then came Outlook. Not only could opening an email infect your machine, but for a while, you didn't even have to be around to have it happen!
Fortunately, today things are very different and very safe.
Malware from opening an email
It used to be that email programs would automatically run programs embedded in email messages when displayed, and occasionally those could be malicious. This is no longer the case, and you will not get malware from simply opening an email. It remains important to be skeptical with links and attachments and to keep all software as up-to-date as possible.
Of HTML, DHTML, and JavaScript
HTML is the "language" of the web. It's the way webpages like this one are written so your browser can display them as the designer intended.
DHTML, for Dynamic HTML, and JavaScript, a programming language, added something HTML didn't have by itself: the ability to do things. By "things," I mean actions like turning this text red when you move your mouse over it and games you can play in your browser.
Your browser, and the HTML displayed in it, became a platform for computer programs.
Then came email.
HTML email
Email used to be plain-text only, and some of it still is.
But email began to be encoded using the same language as webpages: HTML. In HTML email, words can be bold or underlined, we can insert images, and more. Now email could be as "pretty" and complex as a magazine page.
Since many email programs simply used the web browser to display HTML, email messages could now also do things.
Then came malware.
Malware in email
Since email could "do things" like run small programs within their display window, it didn't take long for hackers to write malware not only taking advantage of that but exploiting vulnerabilities those programs could reach. Those vulnerabilities allowed them to infect your machine with more malware.
All because you opened your email and looked at it.
Before it got better, it got worse: then came Outlook.
The Preview Pane
I say "Outlook," but any email program offering what we now call a "preview pane" could be vulnerable. Outlook was one of the earliest and most popular.
It worked like this:
- You left your email program open with the preview pane showing.
- You had your most recent email message displayed in the preview pane.
- You walked away.
- You got a new message. Outlook, keeping the selection at "most recent", selected the newly arrived message1 and updated the preview pane with its contents.
- If the new message contained DHTML/JavaScript malware, it was possible it would run and infect your machine.
Your email program "looked" at a message and your machine was infected. You weren't even there.
Fortunately, this didn't last long.
Modern email programs and sites don't do that
That possibility was quickly fixed.
The most dramatic fix was that JavaScript -- and most other coding that used to allow an email message to "do something" -- no longer works within email. Email is no longer treated like a fully capable webpage. Even when displayed in a web interface like Gmail, the message is scrubbed of any scripting that could cause problems before it is displayed.
Along the way, vulnerabilities related to email-based exploits2 have also been fixed regularly and quickly.
Additionally, images aren't even displayed by default by most email programs. This is done for reasons related to spam, but it also increases your malware-related security.
Today, things are very different.
No, you cannot get infected by just looking
Opening an email is a safe thing to do.
Looking at an email is a safe thing to do.
Having your preview pane open is a safe thing to do, even if you're not around.
Email programs and email services no longer allow the things that once upon a time made looking at an email risky.
However...
You can still get infected if...
The one thing missing from the discussion above is attachments.
The ability to attach an arbitrary file to an email message predates HTML-formatted email. It's a convenient way to transfer a file from one place to another.
Unfortunately, the word "arbitrary" is appropriate. Any file can be attached to an email, including programs that would infect your machine with malware.
That's why one of the admonitions you hear over and over is to never open an attachment you're not expecting and that you don't know for certain is safe.
You can get infected by just looking at the contents of an attachment.
Do this
Observe email safety rules.
- Keep Windows, your browser, your applications, and your email program up to date. If a vulnerability is discovered, you want it to be fixed as soon as possible to be as safe as possible.
- Run anti-malware software.
- Never open an attachment unless you expect it, you're positive you know what it is, and you trust the sender.
- Never click on a link in an email message unless you're positive you know where it's going and you trust the sender.
Something else that's safe? Subscribing to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: This behavior has also changed. I believe Outlook no longer changes which message is selected.
2: One example: at one point, there were exploits in the software used to display images such that malware could be in maliciously crafted image files. Not only have those exploits been resolved, but most email programs no longer display images from untrusted senders by default.
I’m not a technical person. I get emails/messages notifications I have viruses. Run apps that say no threats/viruses. What do I do?? Battery effected I think. Will factory reset help? Help!!! Please!!!
Emails saying you have malware are almost certainly spam.
At times I find it necessary to attach documents or images to my email, with a person, or some firm, government agency, or service. I have read that PDF is a safe way to do so, and, thankfully, on my laptop, it’s easy to arrange. You convert documents and even images to PDF by hitting Control+P, choosing to save in PDF format, and downloading.
I’m wondering however if my information is correct that PDF is safe and if so, whether in general people are aware of that and not put off by receiving and opening a PDF attachment as they might be by an attached image.
PDF is safer. It is possible to craft malicious PDFs. In general, you should be careful with attachments, no matter what they claim to be.
Thanks Leo. I had one other question about attachments. Is there any difference between opening an attachment of an email downloaded to your computer, eg, by Outlook, versus opening an email attachment if you don’t download your emails to your computer, eg, you view gmail on mail.google.com? Is the latter safe to do?
Nope. Attachments are always downloaded to your computer in order to open them, so the danger is the same.
Hej Leo.
I use webmail and don’t download files to pc and open them. Am I not more secure in that way?
Regards John from Denmark
Not really. AND your email isn’t backed up. (If you lose access to your email account, do you lose access to all your saved email? Then you’re not backed up. :-) )
Leo – Suppose a photo displayed in an email has a “web beacon”. Maybe it’s a spammy email that I originally though was legitimate. Will the sender know I opened the email or do modern email programs scrub this action from happening?
If the image is opened, the sender can know.
This is what the “display images” option is all about. The default is typically not to.
I use Network Solutions for some simple web sites and a few email accounts. I got an email from (I thought) ‘Network Solutions’ that said I needed to “Validate my email”. It was a PERFECTLY prepared email, even the senders Domain appeared correct, so I opened the email and did click the big link that said “Validate my email”. As soon as I clicked it, I closed the email and cursed myself. I did not see anything happen, no programs loading or anything… but did I infect myself? I called the real Network Solutions and they confirmed it was a phishing email. I’m running Thunderbird email with Win7 Pro. Now I’m worried……. Thanks for all your tips & tricks!!
Dave Fraser,
Run a full system scan with your anti-malware suite. If anything got in, hopefully it will be recognized and removed. I say ‘hopefully’ because the possibility exists that some new (as yet unknown) malware got into your system when you pressed that button. That possibility is remote, but I feel obligated to include it here for accuracy’s sake. I suggest that you run a full anti-malware scan weekly for the next two or three weeks.
Ernie