Can You Get a Virus By Opening an Email?

Viruses and Other Threats in Your Email

Can you get a virus just by opening an email? The likelihood of your computer becoming infected by an email-delivered virus just by opening a message was once terrifyingly large. But the vulnerabilities that made it so were quickly addressed years ago by developers of modern email clients and antivirus software. Today, you have to do some pretty foolish things to catch a virus via your email inbox.

But myths, urban legends and endlessly repeated tales of Cousin Vinny, who has a friend who knows a guy that lives near the police station in a major city, who got a virus by opening an email -- those die hard on the Internet. And ironically, these tales live on and are propagated largely by... email. I still get occasional warnings about the Hallmark Virus, and similar missives warning me not to open emails with certain subject lines, or a horrible uncurable virus will wipe out my hard drive.

The possibility of virus-infected emails arose with the introduction of HTML email, way back in the early 2000s. HTML gave us the ability to use fonts, colors, images and fancy formatting in emails, but it could also contain hidden executable code in the form of Flash, Java or Javascript. That code could do the bidding of bad guys if it could be triggered to execute when an email was opened. Back in the day, opening an infected HTML email, or even allowing your email client to display it in the preview pane, could execute the code.

The good news is this vulnerability was noticed almost immediately, and steps were taken to close it. Email clients stopped supporting Flash, Java and Javascript. Vulnerabilities in email software and operating systems were patched. Spam filters began blocking emails that contained suspicious code. Email-scanning was added to anti-malware programs. Most email service providers proactively scan, detect and warn of any potentially suspicious or malicious emails or attachments.

If you use GMail, you've probably seen a banner like this across the top of an incoming message: "This message seems dangerous" followed by a warning that "Similar messages were used to steal personal information, so this might contain unsafe content. Avoid clicking links, downloading attachments, or replying with personal information."

Today, you may be able to (unwisely) disable some of the multiple safeguards built into your email client. You may be using an ancient version of Outlook Express that doesn’t contain any safeguards. Maybe you've stubbornly clung to your copy of Windows XP, or you've refused to install any of the security updates available for newer versions of Windows. You may even eschew virus protection that includes email-scanning in real time.

But you’re not that foolish, are you? You don't even have to spend money to get excellent Internet security software. The free versions of Avast and Avira are used by millions of users. I take my computer security a step further, by using PC Matic "whitelist" approach, which assumes ALL incoming links and files are malicious, unless they've been previously vetted and found safe. (RELATED: See my review of PC Matic 4.0)

Some people don’t send or read HTML; they stick with old-school plain text email. That’s a sure way to avoid triggering embedded malicious code, but it makes for a poor email experience. Also, it doesn’t entirely protect against email-borne malware.

Beyond the First Click: Other Email Threats

Just to be clear, I'm talking about that first click -- simply opening and viewing an email message that has arrived in your inbox. The likelihood of being infected just by clicking to open a message sitting in your inbox is vanishingly small. I'd venture to say it's zero if you have an updated email client, you allow Windows to automatically update, and you have anti-virus protection. But once you open that email, other dangers lurk.

It's the second click that'll get you in trouble.

Files attached to either plain-text or HTML email can contain viruses. That is why it is so important not to click on any attachment whose sender you do not know and trust. Even if you do know and trust the sender, caution is needed. The email sender's addresses can be faked, or the sender's computer may have been compromised, so it’s vital to use anti-malware software that scans every email attachment. You may even want to call the sender, to be sure the attached file is legit.

Oh, and don't assume that non-executable files are safe. There have been instances of malware hiding inside Word or PDF documents. Downloading and then opening the document could trigger malicious code hidden inside. Regularly updated security software should catch these threats, but there's always the possibility of a "zero-day" attack. (See my related article Will Your Antivirus Software Fail You?)

The bad guys out there rely mainly on social engineering to entrap victims these days. Typically, that means a phishing email that masquerades as something from a trusted sender, urging you to click on a link in the email. Some typical ploys are messages that promise juicy gossip or racy photos. These messages often try to pique your curiousity by mentioning celebrities, public figures or current events. Have You Heard The Sad Truth About Justin Bieber? Willie Nelson Confirms Unfortunate News! Awkward Moments That Wedding Photographers Should Not Have Captured!

Other emails may pretend to be from a company that you know, such as your bank, Amazon, FedEx, Paypal or eBay. Oh no... your account is about to be suspended! One false click and you could be dealing with a nasty virus, or caught in the snare of identity thieves. Some malicious emails will instruct the recipient to call a phone number to restore access to a blocked account, release a package for delivery, or verify details of a financial account. Always look for the customer service number of a business on their website, not in an email. See my related article Have You Been Phished? for more information on email phishing, and how to defend against it.

One of the things I like about web-based email, and GMail in particular, is that you're protected from most of these threats without installing any software at all. If a message with a suspicious link or attachment comes your way, it's either blocked completely, or a warning is displayed that the content may be malicious. My GMail spam folder catches about 200 bogus messages every day. AOL, Yahoo Mail and Microsoft's Outlook.com are some other examples of webmail services.

If you use webmail, or you're conscientious about keeping your desktop email software up to date, there is no reason to fear that you will catch a virus simply by reading an email. But do be careful about clicking on links, opening attachments, or calling phone numbers that appear in emails. That's where the trouble starts.

Your thoughts on this topic are welcome. Post your comment or question below...