Some time ago, a report about the most common vectors for data breaches and related issues was released.
You and I are the weakest link.
For at least one large segment of attack, it’s our propensity to download and open email attachments that gets us into trouble.
A couple of scary numbers from that report include: 1 in 10 people will download and open an attachment attached to phishing email or spam. And the average time between a phishing email being sent and the first victim taking the bait? Twenty-two seconds.
What the heck is it about email attachments that makes them so darned irresistible?
Become a Patron of Ask Leo! and go ad-free!
Attachments are useful
The problem begins with the fact that email attachments are useful.
I have a file, and I want to get it to you. Often the quickest, easiest way to do so is to compose an email to you, attach the file, and press Send. Magic happens.
For example, it’s not uncommon for folks to want to submit a screenshot with their Ask Leo! question. The best way to do that? Submit the question and then reply to the confirmation email message with the screenshot image as an attachment. Nothing could be simpler. Taking the screenshot was probably the hardest part of the process.
Given the rate at which we exchange data with friends, co-workers, and even tech support sites, email attachments have become a cornerstone of our digital life.
We’ve been trained to open attachments
Because attachments are so common, we don’t think twice about getting them, and we don’t think twice about opening them.
We’ve been trained to use and open attachments, even when they’re not needed.
My favorite pet peeve1 is the person who carefully types up a short memo using a program like Microsoft Word. Then, instead of just copy-and-pasting the contents of the document as the body of the email, he or she sends the entire Word document as an attachment, with the body stating something like “important memo attached”.
There’s no need. The mail with an attachment is larger, slower, and less likely to make it past spam filters. The recipients are forced to open the attachment or, in many environments, suffer the consequences of missing the memo.
This kind of attachment abuse has lowered our sensitivity to the dangers attachments represent.
Attachments don’t kill computers…
Now, let’s be clear: attachments aren’t evil. It’s how attachments are used and abused that leads to the problem.
- We’re trained to open attachments without thinking.
- Attachments can contain anything, good or evil; they may contain important files, or they may contain devastating malware.
That sounds like a recipe for disaster. And it is.
When 10% of the audience will open an untrusted attachment to a phishing email, that’s hacker gold. It’s a spammer’s dream.
And it’s our nightmare.
Attachments are often no longer necessary
Attachments were originally created to solve a specific problem: getting a file from point A to point B.
Back in the days before always-on networks, email’s “store and forward” approach to getting a message to its recipient “eventually” was a fantastic way to perform file transfers. In some cases, entire file repositories (the equivalent to today’s download sites) were available primarily via email request.2
We’ve come a long way since then, and those attachment habits we developed are no longer so necessary. The easiest alternative? Place a file in a service like DropBox or OneDrive and share a link. Not only does this make your email smaller and more likely to make it through (without forcing a lengthy download on the recipient just to read the email), but it also provides accountability that isn’t possible with the currently spoofable email system.3
And, of course, there’s no reason to attach a document when the message could just as easily be placed into the body of the email.
Attachments: think twice, then think again
Think twice about sending attachments at all.
Use file sharing alternatives such as mentioned above. Have photos to share? Put them online instead of forcing the recipient to download them. If you’re concerned about privacy, use a service that lets you control who sees what.
Regardless of which approach you choose, it’ll be more secure than an email attachment, which can be viewed by anyone who has access to the path your email takes.
Think twice — and then twice again — before opening any attachment. Unless you know better, your initial reaction to an attachment should always be one of mistrust. In particular:
- No financial organization will ever send you a “secure message” as an unsolicited attachment. (And if they do, they don’t “get” security, and I’d think twice about continuing to be their customer.)
- Shipping companies never send paperwork about missed deliveries as attachments. This is one of the most common ways that people get fooled. If you’re uncertain at all, pick up the phone and call the local office.
And nobody in Nigeria wants to share money with you.
But you already know that.
You can scan an attachment using your anti-malware tools after you download it and before you open it, but if you’re even a little unsure, it’s better to check with the sender. Don’t reply to the email, because of course someone sending you a phishing email from a hacked account will claim it’s legitimate. Instead, pick up the phone, or use some other means of double checking.
Don’t be part of the 10%.