Ask Jack: What E-Mail Attachments Are Red Flags?

By Jack McCalmon, The McCalmon Group, Inc.

It seems like I receive a thousand emails a day at work - many with attachments. I know attachments may be malware. Is there any type of attachment that presents a greater risk than another?

Business compromise emails are on the rise, and many have attachments. So, any type of attachment - a .pdf, a .doc or even a .jpeg - can contain malware. Don't select any attachment you are not expecting without performing due diligence, and if you are not sure, then don't select it.

Please note that there has been a spike with malware and third-party applications:

A recent Abnormal report analyzed the increase in email attacks in the first half of 2023. Examining data since 2013, the report identified a massive increase in third-party applications (apps) integrated with email, underscoring the proliferation of an emerging threat vector that cybercriminals are exploiting as they continue to shift their tactics.

The final takeaway is that all attachments present risk. The riskiest attachment is the attachment you were not expecting and selected without performing due diligence.

Jack McCalmon, Leslie Zieren, and Emily Brodzinski are attorneys with more than 50 years combined experience assisting employers in lowering their risk, including answering questions, like the one above, through the McCalmon Group's Best Practices Help Line. The Best Practice Help Line is a service of The McCalmon Group, Inc. Your organization may have access to The Best Practice Help Line or a similar service from another provider at no cost to you or at a discount. For questions about The Best Practice Help Line or what similar services are available to you via this Platform, call 888.712.7667.

If you have a question that you would like Jack McCalmon, Leslie Zieren, or Emily Brodzinski to consider for this column, please submit it to Please note that The McCalmon Group cannot guarantee that your question will be answered. Answers are based on generally accepted risk management best practices. They are not, and should not be considered, legal advice. If you need an answer immediately or desire legal advice, please call your local legal counsel.


Finally, your opinion is important to us. Please complete the opinion survey:

What's New

Is An Organization-Wide Shutdown A Smart Response To Cyber Threats?

The University of Michigan shut down internet access in response to a cyber incident. We examine why isolating an infected network is the first step to recovery.

Weak Passwords Allow Cybercriminals To Go Through The "Front Door"

Employers must stress good password practices to minimize breach risks. We examine why reusing passwords is a risky practice.

Ask Jack: Can We Assume AI Searches Are Safe?

More and more employees are using AI chatbots to do research, but are they safe? Jack responds.