Simple Rules for Avoiding Malware in Email

Here’s a bit of a writeup I did for some folks who were being hit with a bout of malware email messages (the actual attachments were being removed by our filters).

The message(s) you received were an attempt to infect your computer with malware, the mail server on receiving the message removed the dangerous attachment but in general if you receive an attachment that you’re not expecting, do not open it – malware writers are creative and may come up with something that the mail server won’t block, at least not while the attack is new. This is the first attempt I remember seeing that pretended to be travel arrangements, but it’s not a surprising development.

Some of the most common attacks like this in recent months have been

  • Messages pretending to be from a package delivery service (UPS, FedEx, DHL most commonly) with an attached message about a package for you.
    • First, these services generally don’t have your email address;
    • Second they would be contacting the shipper not you;
    • Third, even if they did contact you it would likely only be to send you to their website with a tracking number – none of them are going to generate attachments (Word documents, PDFs, executables) and email them to people who may not even be able to open them.

    Another clue is that the reference numbers in the email subjects neither match the format of each carrier’s tracking numbers nor are they large enough to be realistic – a 5-digit supposed “case number” from UPS or FedEx would probably have to cycle back to 0 every week.

  • Messages relating to ACH transactions – there has been a huge rash of these over the past few months, and all of them are attempts to infect the PCs of people who actually are doing ACH transactions regularly. Some businesses and municipalities have lost hundreds of thousands of dollars when key staff PCs were infected by these. A simple rule of thumb: is your bank EVER going to send you unencrypted financial information via email? The most they’ll do is send you a message to log in on their website to check recent transactions. In addition, you should never click on links to bank websites from within received email messages – just go directly to the bank website by typing its address in yourself or using a saved bookmark in your web browser. It’s too easy for scammers to register a domain like “” (that’s a lowercase “L” not an “i” by the way) that may look OK but are designed simply to steal your login information.
  • Anything else that doesn’t actually refer to you by name – if it’s an organization that you do business with, they’re going to say “Hi Elaine” or “Hi Barry” not “Hi Esmith”. Note that just knowing your name is not actually an indicator of trustworthiness – competent scammers or ones who’ve stolen more information than just an email address may use your name. The key point here is that not knowing your name is a good indicator of spam or malware.

Also avoid any attachment with a message that has poor grammar – if you’re going to throw caution to the winds and open unexpected attachments, at least consider that any major corporation has a marketing and communications department that probably had to sign off on the text of messages being sent, and that those marketing and communications folks would lose their jobs quickly if they sent out messages with poor grammar, spelling or capitalization.

Checking the items above can help keep you from being one of the “low-hanging fruit” that scammers and malware authors are going to catch.

Note that the most important thing to take from this is to use common sense – much like 419 scams, a little bit of thought can keep you out of a lot of trouble.