Ask Jack: What E-Mail Attachments Are Red Flags?

By Jack McCalmon, The McCalmon Group, Inc.

It seems like I receive a thousand emails a day at work - many with attachments. I know attachments may be malware. Is there any type of attachment that presents a greater risk than another?

Business compromise emails are on the rise, and many have attachments. So, any type of attachment - a .pdf, a .doc or even a .jpeg - can contain malware. Don't select any attachment you are not expecting without performing due diligence, and if you are not sure, then don't select it.

Please note that there has been a spike with malware and third-party applications:

A recent Abnormal report analyzed the increase in email attacks in the first half of 2023. Examining data since 2013, the report identified a massive increase in third-party applications (apps) integrated with email, underscoring the proliferation of an emerging threat vector that cybercriminals are exploiting as they continue to shift their tactics.

The final takeaway is that all attachments present risk. The riskiest attachment is the attachment you were not expecting and selected without performing due diligence.

Jack McCalmon, Leslie Zieren, and Emily Brodzinski are attorneys with more than 50 years combined experience assisting employers in lowering their risk, including answering questions, like the one above, through the McCalmon Group's Best Practices Help Line. The Best Practice Help Line is a service of The McCalmon Group, Inc. Your organization may have access to The Best Practice Help Line or a similar service from another provider at no cost to you or at a discount. For questions about The Best Practice Help Line or what similar services are available to you via this Platform, call 888.712.7667.

If you have a question that you would like Jack McCalmon, Leslie Zieren, or Emily Brodzinski to consider for this column, please submit it to Please note that The McCalmon Group cannot guarantee that your question will be answered. Answers are based on generally accepted risk management best practices. They are not, and should not be considered, legal advice. If you need an answer immediately or desire legal advice, please call your local legal counsel.


Finally, your opinion is important to us. Please complete the opinion survey: