Can You Get a Virus By Opening an Email?

Category: Email , Viruses

A concerned AskBob reader wants to know... “Is it possible to get a computer virus by simply opening an email?” It's true that email has been and remains one of the most popular attack vectors for hackers, spammers, scammers, phishers and other cyber-miscreants that are jiggling the latches on the door of your inbox. But is it really that easy to slip in, and wreak havoc on your computer? Let's find out...

Viruses and Other Threats in Your Email

Can you get a virus just by opening an email? The likelihood of your computer becoming infected by an email-delivered virus just by opening a message was once terrifyingly large. But the vulnerabilities that made it so were quickly addressed years ago by developers of modern email clients and antivirus software. Today, you have to do some pretty foolish things to catch a virus via your email inbox.

But myths, urban legends and endlessly repeated tales of Cousin Vinny, who has a friend who knows a guy that lives near the police station in a major city, who got a virus by opening an email -- those die hard on the Internet. And ironically, these tales live on and are propagated largely by... email. I still get occasional warnings about the Hallmark Virus, and similar missives warning me not to open emails with certain subject lines, or a horrible uncurable virus will wipe out my hard drive.

The possibility of virus-infected emails arose with the introduction of HTML email, way back in the early 2000s. HTML gave us the ability to use fonts, colors, images and fancy formatting in emails, but it could also contain hidden executable code in the form of Flash, Java or Javascript. That code could do the bidding of bad guys if it could be triggered to execute when an email was opened. Back in the day, opening an infected HTML email, or even allowing your email client to display it in the preview pane, could execute the code.

Email and Viruses

The good news is this vulnerability was noticed almost immediately, and steps were taken to close it. Email clients stopped supporting Flash, Java and Javascript. Vulnerabilities in email software and operating systems were patched. Spam filters began blocking emails that contained suspicious code. Email-scanning was added to anti-malware programs. Most email service providers proactively scan, detect and warn of any potentially suspicious or malicious emails or attachments.

If you use GMail, you've probably seen a banner like this across the top of an incoming message: "This message seems dangerous" followed by a warning that "Similar messages were used to steal personal information, so this might contain unsafe content. Avoid clicking links, downloading attachments, or replying with personal information."

Today, you may be able to (unwisely) disable some of the multiple safeguards built into your email client. You may be using an ancient version of Outlook Express that doesn’t contain any safeguards. Maybe you've stubbornly clung to your copy of Windows XP, or you've refused to install any of the security updates available for newer versions of Windows. You may even eschew virus protection that includes email-scanning in real time.

But you’re not that foolish, are you? You don't even have to spend money to get excellent Internet security software. The free versions of Avast and Avira are used by millions of users. I take my computer security a step further, by using PC Matic "whitelist" approach, which assumes ALL incoming links and files are malicious, unless they've been previously vetted and found safe. (RELATED: See my review of PC Matic 4.0)

Some people don’t send or read HTML; they stick with old-school plain text email. That’s a sure way to avoid triggering embedded malicious code, but it makes for a poor email experience. Also, it doesn’t entirely protect against email-borne malware.

Beyond the First Click: Other Email Threats

Just to be clear, I'm talking about that first click -- simply opening and viewing an email message that has arrived in your inbox. The likelihood of being infected just by clicking to open a message sitting in your inbox is vanishingly small. I'd venture to say it's zero if you have an updated email client, you allow Windows to automatically update, and you have anti-virus protection. But once you open that email, other dangers lurk.

It's the second click that'll get you in trouble.

Files attached to either plain-text or HTML email can contain viruses. That is why it is so important not to click on any attachment whose sender you do not know and trust. Even if you do know and trust the sender, caution is needed. The email sender's addresses can be faked, or the sender's computer may have been compromised, so it’s vital to use anti-malware software that scans every email attachment. You may even want to call the sender, to be sure the attached file is legit.

Oh, and don't assume that non-executable files are safe. There have been instances of malware hiding inside Word or PDF documents. Downloading and then opening the document could trigger malicious code hidden inside. Regularly updated security software should catch these threats, but there's always the possibility of a "zero-day" attack. (See my related article Will Your Antivirus Software Fail You?)

The bad guys out there rely mainly on social engineering to entrap victims these days. Typically, that means a phishing email that masquerades as something from a trusted sender, urging you to click on a link in the email. Some typical ploys are messages that promise juicy gossip or racy photos. These messages often try to pique your curiousity by mentioning celebrities, public figures or current events. Have You Heard The Sad Truth About Justin Bieber? Willie Nelson Confirms Unfortunate News! Awkward Moments That Wedding Photographers Should Not Have Captured!

Other emails may pretend to be from a company that you know, such as your bank, Amazon, FedEx, Paypal or eBay. Oh no... your account is about to be suspended! One false click and you could be dealing with a nasty virus, or caught in the snare of identity thieves. Some malicious emails will instruct the recipient to call a phone number to restore access to a blocked account, release a package for delivery, or verify details of a financial account. Always look for the customer service number of a business on their website, not in an email. See my related article Have You Been Phished? for more information on email phishing, and how to defend against it.

One of the things I like about web-based email, and GMail in particular, is that you're protected from most of these threats without installing any software at all. If a message with a suspicious link or attachment comes your way, it's either blocked completely, or a warning is displayed that the content may be malicious. My GMail spam folder catches about 200 bogus messages every day. AOL, Yahoo Mail and Microsoft's are some other examples of webmail services.

If you use webmail, or you're conscientious about keeping your desktop email software up to date, there is no reason to fear that you will catch a virus simply by reading an email. But do be careful about clicking on links, opening attachments, or calling phone numbers that appear in emails. That's where the trouble starts.

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 2 Oct 2023

For Fun: Buy Bob a Snickers.

Prev Article:
Will Your Antivirus Software Fail You?

The Top Twenty
Next Article:
Can You Get a Virus By Scanning a QR Code?

Most recent comments on "Can You Get a Virus By Opening an Email?"

Posted by:

Ernest N. Wilcox Jr. (Oldster)
03 Oct 2023

I agree with everything Bob has to say about email messages in this item, especially about using caution with unexpected messages, but I take things a bit further. When I receive a message I'm not expecting, the first thing I do is see if it is directed to me using my name (not my email address) and if not (e.g.: the sender got my name wrong) I send it to the spam folder. If a message passes that first scrutiny, and purports to come from someone I know, I contact the purported sender to confirm they sent me a message with the subject line from the message I received, using a different contact method such as a phone call or a direct message on Facebook, then I act accordingly.

When I receive messages that purport to come from businesses, health-care providers, etc. - and pass my first scrutiny - before I click any link, I verify that its URL corresponds with its label. For example, if I receive an advertising message from Best Buy and it contains a link to a sale item, I expect the URL in the link to start with something like '' or 'https://[some-department-name]'. If not, I mark it as spam or simply delete it, depending on the sender. For the few businesses I interact with regularly, I delete messages that don't contain anything I'm interested in because these messages aren't spam, they're legitimate advertising.

These are my rules for incoming email in a nutshell. I'm a retiree, and my computer use (including email) is entirely for my personal entertainment/activities so what works for you will probably differ. The one thing I want to stress is that all email comes from the Internet. The Internet is comprised of websites created/populated by strangers. You should never blindly trust any stranger or anything created by strangers. Until you can confirm the identity of those you encounter on the Internet, they are strangers, and not to be trusted. Until you can establish the trustworthiness of any website, use caution there. This is my definition of a zero-trust paradigm. I strongly recommend you establish something similar for yourself if you have not yet done so.

I hope this helps others,

Ernie (Oldster)

Posted by:

03 Oct 2023

Thanks Bob! Sometimes you don't know what it fake or real. There is too much disinformation put out in the world.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Can You Get a Virus By Opening an Email? (Posted: 2 Oct 2023)
Copyright © 2005 - Bob Rankin - All Rights Reserved