Can I Get a Virus Just By Opening an Email?

Category: Email

I’m often asked if it’s possible to get a computer virus by simply opening an email. It is true that email has always been one of the most popular attack vectors. Hackers, spammers, phishers and scammers are all knocking on the door of your inbox. But how easily can they slip in, and wreak havoc on your computer? Let's find out...

Viruses and Other Threats in Your Email

The probability that you could be infected by an email-delivered virus just by opening a message was once terrifyingly large. But the vulnerabilities that made it so were quickly addressed by developers of email clients and antivirus software. Today, you have to do some pretty foolish things to catch a virus by simply opening an email.

But myths, urban legends and endlessly repeated tales of the cousin of the friend of a friend who got a virus by opening an email die hard on the Internet. And ironically, these tales live on and are propagated largely by email. I still get warnings of the Hallmark Virus, the Olympic Torch Virus and similar missives warning me not to open emails with certain subject lines, or a horrible uncurable virus will wipe out my hard drive.

The possibility of virus-infected email arose with the introduction of HTML email, way back in the early 2000s. HTML gave us the ability to use fonts, colors, images and fancy formatting in emails, but it could also contain hidden executable code in the form of Java or Javascript. That code could do the bidding of bad guys if it could be triggered to execute. Opening an infected HTML email, or even allowing your email client to display it in the preview pane, could execute the code.
Email and Viruses

The good news is this vulnerability was noticed almost immediately, and steps were taken to close it. Email clients stopped supporting Java and Javascript. Images embedded in HTML email, which could contain malware, are not displayed by default. Vulnerabilities in email software and operating systems were patched. Spam filters began blocking emails that contained suspicious code. Email-scanning was added to anti-malware programs.

Today, you may be able to disable some of the multiple safeguards built into your email client. You may be using a ten year-old version of Outlook Express that doesn’t contain any safeguards. Maybe you've stubbornly clung to your copy of Windows 98, or you've refused to install any of the security updates or service packs for newer versions of Windows. You may even eschew virus protection that includes email-scanning in real time.

But you’re not that foolish, are you? You don't even have to spend money to get excellent Internet security software. See my article Free Anti-Virus Programs ( to find links to a dozen free anti-virus and anti-spyware tools.

Some people don’t send or read HTML; they stick with old-school plain text email. That’s a sure way to avoid triggering embedded malicious code, but it makes for a very poor email experience. Also, it doesn’t entirely protect against email-born malware.

Beyond the First Click: Other Email Threats

Okay, so the likelihood of being infected just by clicking to open a message sitting in your inbox is vanishingly small. I'd venture to say it's zero if you allow Windows to automatically update, and you have anti-virus protection. But once you open that email, other dangers lurk. It's the second click that'll get you in trouble.

Files attached to either plain-text or HTML email can contain viruses. That is why it is so important not to click on any attachment whose sender you do not know and trust. Because email senders’ addresses can be faked, it’s also vital to use anti-malware software that scans every email attachment.

The bad guys out there rely mainly on social engineering to entrap victims these days. Typically, that means a phishing email that masquerades as something from a trusted sender, urging you to click on a link in the email. Some typical ploys are messages that promise juicy gossip, graphic photos or racy videos. These messages often try to pique your curiousity by mentioning celebrities, public figures or current events.

Other emails may pretend to be from a company that you know, such as your bank, Facebook, Paypal or eBay. One false click and you could be dealing with a nasty virus, or caught in the snare of identity thieves. See my related article Spear Phishing and Internet Security for more information on email phishing, and how to defend against it.

One of the things I like about web-based email, and GMail in particular, is that you're protected from most of these threats without installing any software at all. If a message with a suspicious link or attachment comes your way, it's either blocked completely, or a warning is displayed that the content may be malicious.

If you use webmail, or you're conscientious about keeping your desktop email software up to date, there is no reason to fear that you will catch a virus simply by reading an email. But be careful about clicking on links or attachments. That's where the trouble starts.

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 17 Aug 2012

For Fun: Buy Bob a Snickers.

Prev Article:
Blast From the Past: The Internet Archive

The Top Twenty
Next Article:
Seven Free Cloud Services You Should Try

Most recent comments on "Can I Get a Virus Just By Opening an Email?"

Posted by:

17 Aug 2012

You wrote:"Other emails may pretend to be from a company that you know, such as your bank, Facebook, Paypal or eBay." I think you really should have mentioned UPS and DHL, since their "package notifications" undoubtedly trigger people's curiosity, more than anything else. It's a smart trap, those a***holes really know what they're doing - and what people are like. They have degrees in psychology?

Posted by:

17 Aug 2012

If I am not wholly convinced of an email's authenticity I analyse its header at (right click > Properties > Details tab > Message Source. Select all the header text and copy. Open IpTrackerOnline and paste into the box indicated. Press "Submit header for analysis").

Sure enough, some (apparently) very reputable organisations have dealings in exceedingly odd places - Nigeria (of course!), south east China and even what appeared to be the middle of a field off a very minor road in the middle of Idaho! Personally, I never believe it and move on.

Sometimes, just for fun, I also carry out an analysis with emails that are quite obviously dodgy just to see who is trying to fool who.

Posted by:

Martin Wilkinson
17 Aug 2012

I had a virus hit when ordering a repeat prescription for medication online. I did not open or view any e-mail or click any link other than the usual ones on the site I was using, and suddenly a fake antivirus program kicked in which bypassed and disabled fully updated Microsoft Security Essentials, disabled Internet Explorer, and kept running fake antivirus scans and warning that all my bank details were being downloaded by a hacker. On that computer the only e-mail used was GMail on the web. Is there anything we could have done to prevent the virus coming?

Posted by:

Jonathan Baker
17 Aug 2012

The short answer is "yes, but not likely." Are there any data showing the likelihood of acquiring a virus by this means? Analysis is good, data are better.

Posted by:

17 Aug 2012

I was an IT when NIMDA hit. Took out 1/3 of our computers, worldwide.
I've also had 3 security suites (Norton, AVG, ZoneAlarm) taken out on personal PCs, so now use a collection of free security programs, with AVAST as the primary, and keep everything up-to-date. Occasionally, something still gets in (2 users on this computer), but not devastating.
Biggest threat, now, is Facebook, but only the naive would click on everything that pops up, there.
You're doing great, Bob. You're valuable for those of us who are no longer in the business, but still need to keep up to date for our own sake, and you run information on items I hadn't even considered. Thank you.

Posted by:

17 Aug 2012

As usual a good update for anyone not a computer geek. I have often wondered whether or not opening an email from an unknown person/address would be a problem considering most present day security programs I assumed scanned said email.Good to know that I can at least open it with the proviso that I don't open any thing else.

Posted by:

Joe Schwab
17 Aug 2012

Bob--you're a very good writer and your valuable insight into computers and the web each day make your newsletter a must read. Thanks for your dedication and (to quote Stephen Colbert) your "truthiness."

Posted by:

Marie Stein
17 Aug 2012

Last week I opened an email that contained a facimile of a check. As soon as I saw what it was I either deleted it or hit the spam button, I don't remember which. It contained a virus that used my email account to sent emails out to everyone on my Address Book. I ran every security program I have and all said there was no problem, but the emails continued to go out. Finally I called AOL and they got rid of the virus for me.
How could I have avoided the hassle to myself and my contacts?

Posted by:

17 Aug 2012

What is the vulverability of pictures embedded in an email, text, html or otherwise, that are not open but open when you click on them?

Posted by:

Jan Bevill
17 Aug 2012

Hi Bob,
My older e-mail was "hacked" and I have a new e-mail address. Can I go into the older e-mail that is supposed to be safe and open any of the folders and send info to my new e-mail?
Thanks Bob,

Posted by:

Nancy Teppler
17 Aug 2012

I would add: If interested in something sent in an email, don't use any link in the email, itself, to check on it. Google the item to read about it. Use the item name followed by "scam" to see if emails are scamming people with this topic. Find the legitimate web address for the item/company. Put the legitimate web address in your browser, yourself, rather than clicking to get there. This goes for ads or prompts you may see on other websites and social media sites as well. If you get unusual mail from any of your usual contacts,ignore whom it "says" it's from. Instead, right click on the email in the list and left click on "Properties." The sender's email address appears . Be safe; have fun :)

Posted by:

john kay
17 Aug 2012

thanks for the timely information ... we (supposedly) had virus on one of our office computers last week. i thought the whole network would be effected, but it only bit into one workstation/laptop.

i'm always impressed by your sound advice and the way you present it in a way that the average computer user can understand. keep up the great work. Peace.

Posted by:

Michael Moseley
18 Aug 2012

Now if they could only stop spam. My ISP does a great job at stopping them but still get tired of deleting rejected spam emails.

Posted by:

18 Aug 2012

You say:
> Images embedded in HTML email, which could contain malware,
> are not displayed by default.

So is there a danger in choosing to display an image? There's
an awful lot of 'em.

Posted by:

Carol Mills
18 Aug 2012

Coincidentally,today I opened an e-mail with subject line claiming I may not be protected & might need a Norton update. I first tried to forward it to an abuse line, but was unable. Nor could I exit until I turned off power at the surge protector. "" was the URL. I did not click on the link. I reconnected and then read your newsletter re: getting virus just by opening e-mail. Good timing.

Posted by:

10 Sep 2012

I just received an email that looked like it authentically came from UPS. It had all the logos. It told me that the package I had mailed could not be delivered because there was a problem with the address. It asked me to click on a link to "their" shipping department to correct the error. Since I had just recently sent some thing by UPS I clicked on the link. BAM! I was inundated with a ton of virus alerts with the warning to to use a virus scan to check on them. What that did was to disable my virus protection when I went to do a scan. So I immediately shut down my laptop and restarted it in the safe mode. From there I went in found the thread that caused the problem and cleared all of it out of my registry. What amazed me was the authenticity in using the UPS logo and email format. Just wanted to let people know.

Posted by:

12 Mar 2016

Nancy Teppler, I had learned to go directly to sites of interest instead of clicking via emails; and even on sites to look up top to verify the address it came to.

But from your comment I'll now also start typing website addresses myself, after I find them on search engines, as well as looking where they take me, since where they take me could look authentic to the casual observer but be malicious.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy     RSS/XML

Article information: AskBobRankin -- Can I Get a Virus Just By Opening an Email? (Posted: 17 Aug 2012)
Copyright © 2005 - Bob Rankin - All Rights Reserved