Is it safe to open an email attachment from an unknown sender?
Email attachments from unknown senders are one of the primary methods for delivering malware. You should not open them unless you are certain of the sender's identity and were expecting the file.
Last reviewed: 10 June 2026
Explanation
Malicious email attachments can deliver a wide range of harmful software: ransomware that encrypts your files and demands payment, banking trojans that monitor your keystrokes, remote-access tools that give criminals control of your device, or simply data-harvesting software. The file formats vary — common malicious formats include Word documents (.doc, .docx) with malicious macros, PDF files exploiting reader vulnerabilities, executable files (.exe), and compressed archives (.zip, .rar) containing any of the above.
Many effective attacks come not from completely unknown senders but from compromised accounts belonging to someone you know — a colleague, friend, or supplier whose email account was hacked. The message may use a familiar name and include some contextual detail to appear plausible. The attachment name is typically generic: 'Invoice', 'Document', 'Receipt'.
Before opening any unexpected attachment, verify the sender through a separate channel — a phone call or a new email asking if they sent you a file. Never reply to the suspicious email itself, as you may be replying to the attacker who controls the compromised account.
Many business email attacks specifically target invoices and payment files, inserting malicious content into what appears to be a routine business document. Organisations should train all staff in this specific threat, as the consequences of ransomware infection can be severe.
Common red flags
- Sender is unknown or the message arrived with no prior context
- The email creates urgency — open immediately, action required today
- The attachment name is generic — 'Invoice', 'Document', 'Receipt' — without specific context
- The email asks you to enable macros in a Word or Excel document
- The message body text is thin or generic, not referencing specific details of your relationship with the sender
- The 'from' address does not match the display name or organisation
What to do now
- Do not open the attachment
- Verify the sender through a separate channel if you suspect the message may be legitimate
- Report the email to your email provider using the junk or phishing report function
- If you have already opened the attachment, run a reputable malware scan immediately
- Disconnect from the network and seek IT assistance if your computer behaves unusually after opening an attachment
- Report to your national cybercrime reporting centre
Frequently asked questions
Can a PDF give me a virus?
Yes. Malicious PDFs can exploit vulnerabilities in PDF reader software. Keeping your PDF reader fully updated significantly reduces this risk. Preview mode in email clients is generally safer than downloading and opening in a local application.
The sender was my bank — is it safe to open?
Attackers impersonate banks. Verify by checking the sending domain exactly, not just the display name. If in any doubt, log in to your bank directly to check for any genuine correspondence and report the email.