Can Simply Opening an Email Trigger a Virus?

Category: Email , Security

Is it possible to get a computer virus by simply opening an email? It's true that email has been and remains one of the most popular attack vectors. Hackers, spammers, scammers, phishers and other cyber-miscreants are all knocking on the door of your inbox. But is it really that easy to slip in, and wreak havoc on your computer? Let's find out...

Viruses and Other Threats in Your Email

Can you get a virus just by opening an email? The likelihood of your computer becoming infected by an email-delivered virus just by opening a message was once terrifyingly large. But the vulnerabilities that made it so were quickly addressed years ago by developers of email clients and antivirus software. Today, you have to do some pretty foolish things to catch a virus via your email inbox.

But myths, urban legends and endlessly repeated tales of Cousin Vinny, who has a friend who knows a guy that lives near the police station in a major city, who got a virus by opening an email -- those die hard on the Internet. And ironically, these tales live on and are propagated largely by... email. I still get occasional warnings about the Hallmark Virus, and similar missives warning me not to open emails with certain subject lines, or a horrible uncurable virus will wipe out my hard drive.

The possibility of virus-infected emails arose with the introduction of HTML email, way back in the early 2000s. HTML gave us the ability to use fonts, colors, images and fancy formatting in emails, but it could also contain hidden executable code in the form of Java or Javascript. That code could do the bidding of bad guys if it could be triggered to execute. Back in the day, opening an infected HTML email, or even allowing your email client to display it in the preview pane, could execute the code.

Email and Viruses

The good news is this vulnerability was noticed almost immediately, and steps were taken to close it. Email clients stopped supporting Java and Javascript. Vulnerabilities in email software and operating systems were patched. Spam filters began blocking emails that contained suspicious code. Email-scanning was added to anti-malware programs.

Today, you may be able to (unwisely) disable some of the multiple safeguards built into your email client. You may be using an ancient version of Outlook Express that doesn’t contain any safeguards. Maybe you've stubbornly clung to your copy of Windows XP, or you've refused to install any of the security updates available for newer versions of Windows. You may even eschew virus protection that includes email-scanning in real time.

But you’re not that foolish, are you? You don't even have to spend money to get excellent Internet security software. The free versions of Avast and Avira are used by millions of users.

Some people don’t send or read HTML; they stick with old-school plain text email. That’s a sure way to avoid triggering embedded malicious code, but it makes for a poor email experience. Also, it doesn’t entirely protect against email-borne malware.

Beyond the First Click: Other Email Threats

Just to be clear, I'm talking about that first click -- simply opening and viewing an email message that has arrived in your inbox. The likelihood of being infected just by clicking to open a message sitting in your inbox is vanishingly small. I'd venture to say it's zero if you have an updated email client, you allow Windows to automatically update, and you have anti-virus protection. But once you open that email, other dangers lurk.

It's the second click that'll get you in trouble.

Files attached to either plain-text or HTML email can contain viruses. That is why it is so important not to click on any attachment whose sender you do not know and trust. Even if you do know and trust the sender, caution is needed. The email sender's addresses can be faked, or the sender's computer may have been compromised, so it’s vital to use anti-malware software that scans every email attachment. You may even want to call the sender, to be sure the attached file is legit.

The bad guys out there rely mainly on social engineering to entrap victims these days. Typically, that means a phishing email that masquerades as something from a trusted sender, urging you to click on a link in the email. Some typical ploys are messages that promise juicy gossip or racy photos. These messages often try to pique your curiousity by mentioning celebrities, public figures or current events. Have You Heard The Sad Truth About Justin Bieber? Willie Nelson Confirms Unfortunate News! Awkward Moments That Wedding Photographers Should Not Have Captured!

Other emails may pretend to be from a company that you know, such as your bank, Amazon, FedEx, Paypal or eBay. Oh no... your account is about to be suspended! One false click and you could be dealing with a nasty virus, or caught in the snare of identity thieves. Some malicious emails will instruct the recipient to call a phone number to restore access to a blocked account, release a package for delivery, or verify details of a financial account. Always look for the customer service number of a business on their website, not in an email. See my related article Have You Been Phished? for more information on email phishing, and how to defend against it.

One of the things I like about web-based email, and GMail in particular, is that you're protected from most of these threats without installing any software at all. If a message with a suspicious link or attachment comes your way, it's either blocked completely, or a warning is displayed that the content may be malicious. My GMail spam folder catches about 200 bogus messages every day. Yahoo Mail and Microsoft's are some other examples of webmail services.

If you use webmail, or you're conscientious about keeping your desktop email software up to date, there is no reason to fear that you will catch a virus simply by reading an email. But do be careful about clicking on links, opening attachments, or calling phone numbers that appear in emails. That's where the trouble starts.

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 13 Jul 2022

For Fun: Buy Bob a Snickers.

Prev Article:
Is Software Piracy a Victimless Crime?

The Top Twenty
Next Article:
Hard Drive Partitioning Myths, Mistakes, and My Advice...

Most recent comments on "Can Simply Opening an Email Trigger a Virus?"

Posted by:

13 Jul 2022

Very helpful article, Bob, thank you.


Posted by:

13 Jul 2022

I use the Thunderbird e-mail client with no problem at all.On some messages I receive,I will get a message stating Thunderbird is protecting my privacy by blocking remote content.

I guess this should be Java scripts or HTML content that could harbor malware.Most of my e-mail messages are from familiar sources,but I do get the few that are not regular visitors,so I am cautious about those.

Don't forget spam filters and folders that put spam messages in their place.My e-mail provider is very good at blocking spam messages.I get a message once in a while to look at my spam folder for suspicious messages.Another way to stop malware from getting into your computer.

Posted by:

Tom Plain
13 Jul 2022

Very helpful. This may be off subject a bit but I recently received a Facebook message from a friend of my father saying there was a picture of me. Foolishly I copied the link and tried to open it. It took me to some site that wanted me to download some new version of Adobe something. I quickly backed out. It was on my iPad so I hope I escaped unscathed.

Posted by:

Marge Teilhaber
13 Jul 2022

I always knew this and use gmail and was never worried. Great to see this from you, Bob. I practice what you preach!

Posted by:

13 Jul 2022

I've used Yahoo Pro since the late 90's, their spam filter is excellent, but there's so much spam, I delete it every few days, but if you try to open an infected email attachment, which I did once 25 years ago, they will flat out tell you no, it's a virus. I also have multiple other protections, Malwarebytes Pro (got a lifetime license for $25 when they still offered that), browser extensions, hardware and software firewalls. In 30 years of using the Internet, I've never had a virus and don't expect I ever will. Safety first, friends. :^)

Posted by:

13 Jul 2022

@Gene - How in the world did you manage that with Malware Pro? I bought their lifetime license years ago (decades?) and when they refused to honor it.

Posted by:

13 Jul 2022

I recently got email about a free drill just for doing a survey. I did the survey and needed to pay with my credit card small shipping fee.
Next thing I know credit card flagged 3 charges as fraud! So gave me a new card. Lucky I guess!

Posted by:

13 Jul 2022

My Cox webmail spam filter is a joke (the only sole occupant of my spam folder every day is a newsletter I requested and must daily OK for inbox). Given this, I've found unsubscribing very helpful. Could clicking on a unsubscribe link be risky as well?
Thanks for all you do!

Posted by:

14 Jul 2022

I access my email accounts through Firefox 100 browser and use PC MATIC Pro Evergreen for my security. PC Matic is superb....been attacked many
times....never got through my PC Matic.

Gmail, even Windows 10 with Microsoft updates are
conduits for malware/virus attacks.....but PC Matic
catches it all and protects me.

Posted by:

Ernest N. Wilcox Jr.
14 Jul 2022

This item is a perfect description of the email part of what I call Cognitive Security. To get to full Cognitive Security, users must employ these behaviors (rules) to ANYTHING that comes from the Internet (social media, Web sites, etc.) accompanied with a healthy dose of skepticism. Even when something seems to be coming from someone (or some organization/company) you know and trust, before clicking, check with the source/sender to ensure that whatever it is that you have received was sent by them/it.

When an email attempts to get you to click a link (or some website for that matter), take a moment to double-check the URL the link is actually taking you to by hovering your mouse over it (on a PC running Windows/GNU/Linux), and (the URL) will be displayed. If it does not match the text on the link, be very suspicious, and don't click. Instead, if you still want to go wherever the link is purporting to send you, perform an Internet search for it (the link text) and use the link from your search to go there.

I don't know how to check the URL of a link on my phone/tablet, and that is why I avoid surfing the web on android devices. If anyone knows how to check the URL of a link on an Android device, please post that information to help the rest of us less informed users.


Posted by:

14 Jul 2022

@Ernest N. Wilcox Jr. Here is how to find URL.

Posted by:

14 Jul 2022

We are very careful plus we have PCMatic, yet a scan on SpyBot has found we have a TCP/IP Hijack (ADLAUNCH) on our computer. It has changed the registry.

Very disappointed it got past PCMatic, and do not know how to proceed as it comes back on the next SpyBot scan after being fixed.

Not computer savvy so seriously thinking about buying a new computer, but am concerned it will appear on a new computer given time as I don't know how it got there in the first place, so don't know what to stop doing.

Interestingly, MalwareBytes does not find it.

Posted by:

14 Jul 2022

BoinLV: if it's something that you've legitimately subscribed to that you no longer want, unsubscribe. If you have no idea how they got your email address, mark as spam and delete. Do not confirm that your email address is good - or risk going to a dangerous website - by unsubscribing!

Posted by:

14 Jul 2022

BoinLV .. try adding the address of the newsletter you have subscribed to in your contacts. That *should* fix the spam folder issue.

Posted by:

15 Jul 2022

I get spam mail saying that my Norton's or McCaffee has expired and I have 23 viruses. They always say the same thing and they have been coming for months even though I have never had any of those anti-virus programs on my PC. I just laugh and hit DELETE.

Posted by:

Ernest N. Wilcox Jr.
15 Jul 2022

@Gary, Thank you for the link. Now I can check the URL of a link in an email or on a web page by simply holding the link with my finger (a dialog containing the URL will open).

I already knew that when I scan a QR code on my phone, the link is displayed at the bottom of the window. Knowing how to verify the URL my device is about to be taken to is fundamental to safe Internet use :)


Posted by:

02 Jan 2023

Thanks Bob. Even though I mostly use an iPad, or sometimes my MacBook Pro, this is good to know.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Can Simply Opening an Email Trigger a Virus? (Posted: 13 Jul 2022)
Copyright © 2005 - Bob Rankin - All Rights Reserved