Some time ago, a report about the most common vectors for data breaches and related issues was released.
You and I are the weakest link.
For at least one large segment of attack, it’s our propensity to download and open email attachments that gets us into trouble.
A couple of scary numbers from that report include: 1 in 10 people will download and open an attachment attached to phishing email or spam. And the average time between a phishing email being sent and the first victim taking the bait? Twenty-two seconds.
What the heck is it about email attachments that makes them so darned irresistible?
Become a Patron of Ask Leo! and go ad-free!
Attachments are useful
The problem begins with the fact that email attachments are useful.
I have a file, and I want to get it to you. Often the quickest, easiest way to do so is to compose an email to you, attach the file, and press Send. Magic happens.
For example, it’s not uncommon for folks to want to submit a screenshot with their Ask Leo! question. The best way to do that? Submit the question and then reply to the confirmation email message with the screenshot image as an attachment. Nothing could be simpler. Taking the screenshot was probably the hardest part of the process.
Given the rate at which we exchange data with friends, co-workers, and even tech support sites, email attachments have become a cornerstone of our digital life.
We’ve been trained to open attachments
Because attachments are so common, we don’t think twice about getting them, and we don’t think twice about opening them.
We’ve been trained to use and open attachments, even when they’re not needed.
My favorite pet peeve1 is the person who carefully types up a short memo using a program like Microsoft Word. Then, instead of just copy-and-pasting the contents of the document as the body of the email, he or she sends the entire Word document as an attachment, with the body stating something like “important memo attached”.
There’s no need. The mail with an attachment is larger, slower, and less likely to make it past spam filters. The recipients are forced to open the attachment or, in many environments, suffer the consequences of missing the memo.
This kind of attachment abuse has lowered our sensitivity to the dangers attachments represent.
Attachments don’t kill computers…
Now, let’s be clear: attachments aren’t evil. It’s how attachments are used and abused that leads to the problem.
- We’re trained to open attachments without thinking.
- Attachments can contain anything, good or evil; they may contain important files, or they may contain devastating malware.
That sounds like a recipe for disaster. And it is.
When 10% of the audience will open an untrusted attachment to a phishing email, that’s hacker gold. It’s a spammer’s dream.
And it’s our nightmare.
Attachments are often no longer necessary
Attachments were originally created to solve a specific problem: getting a file from point A to point B.
Back in the days before always-on networks, email’s “store and forward” approach to getting a message to its recipient “eventually” was a fantastic way to perform file transfers. In some cases, entire file repositories (the equivalent to today’s download sites) were available primarily via email request.2
We’ve come a long way since then, and those attachment habits we developed are no longer so necessary. The easiest alternative? Place a file in a service like DropBox or OneDrive and share a link. Not only does this make your email smaller and more likely to make it through (without forcing a lengthy download on the recipient just to read the email), but it also provides accountability that isn’t possible with the currently spoofable email system.3
And, of course, there’s no reason to attach a document when the message could just as easily be placed into the body of the email.
Attachments: think twice, then think again
Think twice about sending attachments at all.
Use file sharing alternatives such as mentioned above. Have photos to share? Put them online instead of forcing the recipient to download them. If you’re concerned about privacy, use a service that lets you control who sees what.
Regardless of which approach you choose, it’ll be more secure than an email attachment, which can be viewed by anyone who has access to the path your email takes.
Think twice — and then twice again — before opening any attachment. Unless you know better, your initial reaction to an attachment should always be one of mistrust. In particular:
- No financial organization will ever send you a “secure message” as an unsolicited attachment. (And if they do, they don’t “get” security, and I’d think twice about continuing to be their customer.)
- Shipping companies never send paperwork about missed deliveries as attachments. This is one of the most common ways that people get fooled. If you’re uncertain at all, pick up the phone and call the local office.
And nobody in Nigeria wants to share money with you.
But you already know that.
You can scan an attachment using your anti-malware tools after you download it and before you open it, but if you’re even a little unsure, it’s better to check with the sender. Don’t reply to the email, because of course someone sending you a phishing email from a hacked account will claim it’s legitimate. Instead, pick up the phone, or use some other means of double checking.
Don’t be part of the 10%.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
There is one reason why I prefer sending files as attachments to putting them up online and sending a link: I don’t need to worry about an attachment after I send it.
If I upload a file to cloud storage (e.g. Dropbox), share it, then send a link, I have three options for dealing with that file:
1. Ask the recipient to tell me when they’ve downloaded the file, so that I can delete it. This is highly inconvenient for the recipient.
2. Try to detect on my own when they’ve downloaded it by using the cloud storage’s download counter, if one is provided, and delete the file afterwards. This risks deleting the file too early: maybe they started the download, then changed their mind and canceled it, deciding to download it later, but the download counter still detects a download, so I notice it and, mistakenly believing the recipient has already downloaded the file, delete it. I can be extra careful to avoid this kind of false positive, but it’s still a lot of hassle.
3. Keep the file uploaded and available for download indefinitely. This decreases the amount of cloud storage I have available and, more importantly, increases clutter in my cloud storage.
On the other hand, with attachments, the file is stored at the recipient’s email server and counts towards their storage limits, not mine. They can keep the attachment on the server for as long as they need and delete it when they no longer need it—which they can determine more easily than I can. That’s much less hassle for both me and the recipient.
Of course, there are cases when I can’t send attachments—most notably, when they are too large. Then I have no choice but to fall back to cloud storage. However, if I have the option, I’d definitely use attachments.
@VoidPhantom
Option 4 (Which I use)
“This attachment will be available for download until April 30, 2015. Please make sure you download it before then, otherwise it will no longer be available. ”
Then on May 1st, delete the file.
Good Suggestion. Thanks for sharing it!
Leo!
Today was just thinking to ask to write something about a similar subject, which does not stop being the result of open attachments from email inconsequential way, the file encryption.
Before yesterday I received a call from a man, I do not know, but that a mutual friend indicated to get in touch with me, asking for help in order to recover files that have been affected by CryptoWal 3.0, which encrypts files with encryption RSA 2048 .
How do I track recently your work here, I have not had time to research has already written something about this encryption, using the sequence of the subject matter discussed today.
Forgive me for my English is not my native language.
Excellent your work!
Is clicking on a link in an email, which the recipient would do, less dangerous than opening an attachment?
The secret is in being able to tell where the email came from. If the email came from a good guy, then opening the attachment or or clicking a link is perfectly safe. If the email came from a bad guy then clicking a link or opening an attachment is equally dangerous!
That’s true if it really came from a good guy. Unfortunately, hackers can make it appear that the rogue email came from a friend. I sometimes get spam links supposedly from friends whose accounts or machines were compromised.
And given the ability to “spoof” the sender of an email, it’s incredibly difficult for the average user to prove that an email came from who it says. That’s why I so often recommend confirmation via a different channel if uncertain at all.
Hi Leo,
I just hover mouse over the link that usually shows some unheard of URL. Is this OK?
No way for me to know. It depends on the link, what you expect, and what that unheard of URL turns out to be.
The problem is that even friends sometimes forward links that are bad stuff or it could be a spoofed address.
I “train” people I know to never send a generic “this is cool” message. Spoofed email senders really don’t know people. They have to send things with generic terms to the million people.
Not really – with pretty much the same caveats: only click/open links/attachments that you KNOW to be safe. Not sure? Don’t click/open. (The news report that caused me to write this talks about direct infection by attachment, but malicious links have their own similar set of issue.)
Re: Footnote 1 “My favorite pet peeve” is redundant. Pet in this case = favorite :-P
It’s my favorite favorite.
The latest hatest scam is receiving a familiar name via email, tempting, yes, but the giveaway is in the initial wording, always awkward yet you might think it’s just a bulk mailing even though you’ve never received such by this person (which isn’t the person you’re supposed to think it is). “Symform” came from somewhere like this and crashed my computer, but still shows up saying “C’mon back, we’ve missed you”. Uh Huh. Best policy, never open an attachment, ever. Sure we will if we’re sure but how can you be really sure? We’re raised to trust and help people but that can be usurious. With the world wide web of internet there are no hard and fast rules yet – except don’t trust anything or anybody.
Leo,
Do you imply that bad guys would not spread malware through cloud links because it could be traced back to them ? Is that a strong enough deterrent ? If they are based in Russia, China or La-La-Land, as they often are, would they really care ?
And what about involuntary infection by legitimate correspondents, who would link to a file they would not know is infected ? Is not that a risk, even on the cloud ?
Bad guys will always be looking for ways to trick people. I think the point of the article is to not do anything blindly, like clicking on attachments.
Not at all – links are indeed another way that malware spreads. Links to cloud services could be to compromised accounts, for example.
By the way, do the cloud storage sites scan files for malware ? (You can tell I don’t currently use them.)
Most do not, no.
Thank you.
Now I’m lost. If links to cloud storage can bring up malware the way attachments do, why is it advisable to prefer them ? Except for the fact that it’s cleaner, and more polite, because you don’t hammer your correspondents with big files (which might be rejected anyway by some mail servers) ?
One advantage of cloud storage is that scammers don’t currently use that technique to send malware. (I hope they’re not reading this)
Mostly because spammers don’t use them. Remember, there is no black or white here – that’s what makes this difficult. ANYTHING could be malicious. As it turns out simple attachments are more frequently used by hackers because they’re easier to construct (doesn’t require access to a hacked account) and people open them when they shouldn’t. As a result using anything except attachments is more secure. Perfectly secure? No. There’s no such thing. But more secure, most definitely.
Very rarely use attachments since finding Firefox Send.
https://blog.mozilla.org/blog/2019/03/12/introducing-firefox-send-providing-free-file-transfers-while-keeping-your-personal-information-private/