Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

What is it about attachments?

This week, a report about the most common vectors for data breaches and related issues was released.

You and I are the weakest link.

For at least one large segment of malware attack, it’s our propensity to download and open email attachments that gets us into trouble.

A couple of scary numbers from that report: 1 in 10 people will download and open an attachment attached to phishing email or spam. The average time between a phishing email being sent and the first victim taking the bait is 22 seconds.

What the heck is it about email attachments that makes them so darned irresistible?

Become a Patron of Ask Leo! and go ad-free!

Attachments are useful

The problem begins with the fact that email attachments are darned useful.

I have a file, and I want to get it to you. Often the quickest and easiest way to do so is to simply compose an email to you, attach the file and press Send. After that, magic happens.

For example, it’s not uncommon for folks to want to submit a screen shot with their Ask Leo! question. The best way to do that? Submit the question, and then reply to the confirmation email message with the screen shot image as an attachment. Nothing could be simpler. Taking the screen shot was probably the hardest part of that process.

Given the rate at which we exchange data with friends, co-workers, and even tech support sites, email attachments have become a cornerstone of our digital life.

Email!We’ve been trained to open attachments

Because attachments are so common, we don’t think twice about getting them, and we don’t think twice about opening them.

We’ve been trained to use and open attachments even when they’re not needed.

My favorite pet peeve1 is the office worker who carefully types up a short memo using a program like Microsoft Word. Then, instead of just copy-and-pasting the contents of the document as the body of the email, he or she sends the entire Word document as an attachment, with the body stating something like “important memo attached”.

There’s no need. The mail with an attachment is larger, slower, and less likely to make it past spam filters. The recipients are forced to open the attachment or, in many environments, suffer the consequences of missing the memo.

This kind of attachment abuse has lowered our sensitivity to the dangers that attachments represent.

Attachments don’t kill computers…

Now, let’s be clear: attachments aren’t evil in and of themselves. It’s how attachments are used and abused that leads to the problem.

  • We’re trained to open attachments without thinking too hard.
  • Attachments can contain anything, good or evil; they could contain important files, or they could contain devastating malware.

That sounds like a recipe for disaster. And it is.

When 10% of the audience will open an untrusted attachment to a phishing email, that’s hacker gold. That’s a spammer’s dream.

That’s our nightmare.

Attachments are often no longer necessary

Attachments were originally created to solve a specific problem: getting a file from point A to point B.

Back in the days before always-on networks, email’s “store and forward” approach to getting a message to its recipient “eventually” was a fantastic way to perform file transfers. In some cases, entire file repositories (the equivalent to today’s download sites) were available primarily via email request.2

We’ve come a long way since then, and those attachment habits we developed are most often no longer necessary. The easiest alternative? Place a file in something like DropBox or OneDrive and share a link. Not only does this make your email smaller and more likely to make it through (without forcing a lengthy download on the recipient just to read the email), but it also provides accountability that simply isn’t possible with the currently spoofable email system.3

And of course there’s simply no reason to attach a document when the message could be just as easily placed into the body of the email.

Attachments: think twice, then think again

Think twice about sending attachments at all. Use shared online storage instead – be it internally, on your company network, or on an internet service like DropBox or OneDrive. Have photos to share? Put them online instead of forcing the recipient to download them. If you’re concerned about privacy, use a service that lets you control who sees what. In any case, it’ll be more secure than an email attachment, which can be viewed by anyone who has access to the path your email might take.

Think twice – and then twice again – before opening any attachment. Unless you know better, your initial reaction to an attachment should always be one of mistrust. In particular:

  • No financial organization will ever send you a “secure message” as an unsolicited attachment. (And if they do, they don’t “get” security, and I’d think twice about continuing to be their customer.)
  • Shipping companies never send paperwork about missed deliveries as attachments. This is one of the most common ways that people get fooled. If you’re uncertain at all, pick up the phone and call the local office.

And of course, nobody in Nigeria wants to share money with you. But you already know that.

You can scan an attachment using your anti-malware tools after you download it and before you open it, but if you’re even a little unsure, it’s better to check with the sender. Don’t reply to the email – of course someone sending you a phishing email from a hacked account will claim it’s legitimate. Instead, pick up the phone, or use some other means of double checking.

Don’t be part of the 10%.

Podcast audio

Play

Footnotes & references

1: If that phrase even makes sense.
2: I’m thinking of the old SimTel archives, for those who remember. I’m sure there were more.
3: Yes, there are anonymous upload sites. Don’t use them, and don’t train people to use them. They’re anonymous. Files shared on services like DropBox, OneDrive and others can always be traced back to their account owner.

23 comments on “What is it about attachments?”

  1. There is one reason why I prefer sending files as attachments to putting them up online and sending a link: I don’t need to worry about an attachment after I send it.

    If I upload a file to cloud storage (e.g. Dropbox), share it, then send a link, I have three options for dealing with that file:
    1. Ask the recipient to tell me when they’ve downloaded the file, so that I can delete it. This is highly inconvenient for the recipient.
    2. Try to detect on my own when they’ve downloaded it by using the cloud storage’s download counter, if one is provided, and delete the file afterwards. This risks deleting the file too early: maybe they started the download, then changed their mind and canceled it, deciding to download it later, but the download counter still detects a download, so I notice it and, mistakenly believing the recipient has already downloaded the file, delete it. I can be extra careful to avoid this kind of false positive, but it’s still a lot of hassle.
    3. Keep the file uploaded and available for download indefinitely. This decreases the amount of cloud storage I have available and, more importantly, increases clutter in my cloud storage.

    On the other hand, with attachments, the file is stored at the recipient’s email server and counts towards their storage limits, not mine. They can keep the attachment on the server for as long as they need and delete it when they no longer need it—which they can determine more easily than I can. That’s much less hassle for both me and the recipient.

    Of course, there are cases when I can’t send attachments—most notably, when they are too large. Then I have no choice but to fall back to cloud storage. However, if I have the option, I’d definitely use attachments.

    • @VoidPhantom

      Option 4 (Which I use)

      “This attachment will be available for download until April 30, 2015. Please make sure you download it before then, otherwise it will no longer be available. ”

      Then on May 1st, delete the file.

  2. Leo!

    Today was just thinking to ask to write something about a similar subject, which does not stop being the result of open attachments from email inconsequential way, the file encryption.

    Before yesterday I received a call from a man, I do not know, but that a mutual friend indicated to get in touch with me, asking for help in order to recover files that have been affected by CryptoWal 3.0, which encrypts files with encryption RSA 2048 .

    How do I track recently your work here, I have not had time to research has already written something about this encryption, using the sequence of the subject matter discussed today.

    Forgive me for my English is not my native language.

    Excellent your work!

    • The secret is in being able to tell where the email came from. If the email came from a good guy, then opening the attachment or or clicking a link is perfectly safe. If the email came from a bad guy then clicking a link or opening an attachment is equally dangerous!

      • That’s true if it really came from a good guy. Unfortunately, hackers can make it appear that the rogue email came from a friend. I often get spam links supposedly from friends whose accounts or machined were compromised.

      • And given the ability to “spoof” the sender of an email, it’s incredibly difficult for the average user to prove that an email came from who it says. That’s why I so often recommend confirmation via a different channel if uncertain at all.

      • The problem is that even friends sometimes forward links that are bad stuff or it could be a spoofed address.
        I “train” people I know to never send a generic “this is cool” message. Spoofed email senders really don’t know people. They have to send things with generic terms to the million people.

    • Not really – with pretty much the same caveats: only click/open links/attachments that you KNOW to be safe. Not sure? Don’t click/open. (The news report that caused me to write this talks about direct infection by attachment, but malicious links have their own similar set of issue.)

  3. The latest hatest scam is receiving a familiar name via email, tempting, yes, but the giveaway is in the initial wording, always awkward yet you might think it’s just a bulk mailing even though you’ve never received such by this person (which isn’t the person you’re supposed to think it is). “Symform” came from somewhere like this and crashed my computer, but still shows up saying “C’mon back, we’ve missed you”. Uh Huh. Best policy, never open an attachment, ever. Sure we will if we’re sure but how can you be really sure? We’re raised to trust and help people but that can be usurious. With the world wide web of internet there are no hard and fast rules yet – except don’t trust anything or anybody.

  4. Leo,

    Do you imply that bad guys would not spread malware through cloud links because it could be traced back to them ? Is that a strong enough deterrent ? If they are based in Russia, China or La-La-Land, as they often are, would they really care ?

    And what about involuntary infection by legitimate correspondents, who would link to a file they would not know is infected ? Is not that a risk, even on the cloud ?

    • Bad guys will always be looking for ways to trick people. I think the point of the article is to not do anything blindly, like clicking on attachments.

    • Not at all – links are indeed another way that malware spreads. Links to cloud services could be to compromised accounts, for example.

  5. By the way, do the cloud storage sites scan files for malware ? (You can tell I don’t currently use them.)

      • Thank you.

        Now I’m lost. If links to cloud storage can bring up malware the way attachments do, why is it advisable to prefer them ? Except for the fact that it’s cleaner, and more polite, because you don’t hammer your correspondents with big files (which might be rejected anyway by some mail servers) ?

        • One advantage of cloud storage is that scammers don’t currently use that technique to send malware. (I hope they’re not reading this)

        • Mostly because spammers don’t use them. Remember, there is no black or white here – that’s what makes this difficult. ANYTHING could be malicious. As it turns out simple attachments are more frequently used by hackers because they’re easier to construct (doesn’t require access to a hacked account) and people open them when they shouldn’t. As a result using anything except attachments is more secure. Perfectly secure? No. There’s no such thing. But more secure, most definitely.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.