How to make sure file attachments don’t have a virus

Home / Security Introduction / How to make sure file attachments don’t have a virus

If you’re someone that accepts a lot of emails from people you don’t know you should be wary of downloading something that may contain malware. If you ever look into your spam folder you will see a lot of those emails try to get you to either download an attachment or visit a link. Email attachments are one of the main ways that people try to trick people into downloading viruses onto their machine and some of them can be very convincing. Good hackers know how to create emails that compel you to download the attachment. If you’re ever unsure if an attachment is legitimate or not it’s good to know a few quick and easy tests you can do to figure it out, that way you don’t waste much time and you don’t end up downloading something harmful to your computer. This guide will give you 7 ways you can tell if a file attachment is a computer virus. 

File extension

This is the quickest and simplest way to find a potential computer virus. Most file attachments should be either a pdf, word document (docx), txt or an excel file if it’s something you are supposed to read. If it’s an audio file or a picture you should expect a file extension like this GIF, JPG or JPEG, TIF or TIFF, MPG or MPEG, MP3 and WAV, these are typically safe. 

Anything outside of these file types should raise a red flag, especially anything that ends in .exe. .exe indicates that it’s an executable file, which means it will run some type of code on your machine. In essence, all computer viruses are pieces of code that run on your computer and do something that you don’t want them to do so it’s very risky to download a .exe file. You should also be suspicious if you see any file with a double extension, such as image.gif.exe, people typically only do this if they want to avoid detection and you almost never see it outside of someone trying to pass off a virus as a legitimate file. 

Email domain

Another good trick is if someone is claiming to be from a certain company, they should be emailing you from that business email. For example if it says they are emailing on behalf of scotiabank, they should have an email address that ends with “@scotiabank.com”. The email domain should match the company that they are claiming to represent.


Virustotal is a great free website that lets you upload files or links and it will run a scan based on over 30 antivirus providers. Then it will return the results to you and let you know if any of the antivirus providers found that file or link to be malicious/dangerous. It’s extremely easy to use, it takes less than 10 seconds to scan and it’s 100% free to use. If you ever have any doubts just quickly google virustotal and put it through a scan. 

Research the company

If it’s a company you have never heard of it may be useful to do a quick google search. See if this company is real, if the product they are claiming is legitimate and get their contact information. If you want to make sure that the email you got is legitimate you can contact the company directly through their main webpage and ask them to confirm that the person contacting you is an employee/representative. 

You also want to check sites like quora or reddit to see if there is a pattern of people running scams using that company’s name, often if this is a recurring scam people will discuss it on platforms like these.

Research the email sender

In addition to researching the company, you can research the person that sent you the email. A simple linkedin search can verify if this person works within the industry by looking at their job history and their contacts within the company that they claim they work for. Also, you can look for other people in your contact list that might work at the company. Ideally, you would want to be able to find that person’s name on the company website or they should have a corporate phone extension that you can call to verify that they work with that company.

Add it to your google drive not your main computer

If you are receiving this email on your personal account, consider saving it to your google drive instead of your personal computer. This way if you do make a mistake and it is a virus, it will be stored in the cloud on your provider’s server rather than your personal computer. Most of these big companies scan files regularly, have hardened servers, DMZs and a lot of other security features that the average person doesn’t so they are much more prepared in case it is a virus. 

Don’t enable macros unless necessary

If you download any microsoft files like word or excel, don’t enable macros if you don’t need to. One method that people use for delivering the virus is to create the virus using VBA (the language used to create microsoft macros), they attach it to the microsoft file and when you open the file and enable macros it will cause the virus to start running. If you don’t need to run macros to read the files or do your work then don’t enable them, it’s just an extra risk.