High riskEmail Scams

Malware Attachment Scam

In a malware attachment scam, an email arrives with a file posing as an invoice, receipt, CV, statement or delivery note. Opening the attachment, or clicking a prompt to 'enable content' or 'enable macros', can quietly install malware that steals passwords, banking logins or files. The message is often crafted to feel urgent or routine so you act before thinking. Treating every unexpected attachment with caution, and verifying it through a separate channel, is one of the most effective defences.

Quick verdict

Risk level

High risk

Scam type

Malicious attachment scam

Main red flag

An unexpected attachment that pushes you to open it quickly or to 'enable macros' or 'enable editing' to view the content.

What to do first

Do not open the attachment. Verify whether it is genuine by contacting the sender through a number or address you already trust, not the one in the email.

What this scam usually looks like

Example message pattern

Example pattern — not a real report

Example pattern: 'Please find attached your outstanding invoice INV-4821 for immediate payment. To view the full document, open the attached file and click Enable Content. Failure to settle within 24 hours may incur additional charges. See attachment: Invoice_4821.docm [suspicious attachment]'

This is a fictional, anonymised example used to illustrate the pattern. It is not a verified real message, and any names are used only to show how the scam typically reads.

Red flags to watch for

An attachment you were not expecting, even if it looks like a normal invoice, receipt or CV.
A prompt to 'enable macros', 'enable content' or 'enable editing' before you can see the document, which is a common way to trigger malware.
Unusual file types or double extensions, such as .docm, .zip, .iso, .html or a file ending in something like 'invoice.pdf.exe'.
Pressure or urgency in the message, for example threats of extra charges, account closure or legal action if you do not open the file quickly.
Generic greetings, odd phrasing or a sender address that does not quite match the company it claims to represent.

What to do

Pause before opening anything and check whether you were genuinely expecting a document from this sender.
Verify the message by contacting the company or person directly using details from their official website or a previous trusted email.
Keep your operating system, browser and antivirus software up to date, as this reduces the chance an attachment can do harm.
If the email claims to be from a colleague or supplier, ask them in person, by phone or in a fresh message whether they really sent it.

If you already clicked or replied

Disconnect the device from the internet straight away to limit any data being sent out or further downloads.
Run a full scan with reputable, up-to-date antivirus or security software and follow its guidance.
Change important passwords, especially for email and banking, from a different device you trust, and turn on two-factor authentication.
Watch your bank and online accounts closely for unfamiliar activity and report anything suspicious to your bank without delay.

What not to do

Do not click 'enable macros', 'enable content' or 'enable editing' just to view an unexpected attachment.
Do not assume an attachment is safe simply because it looks like a normal invoice or comes from a familiar-sounding name.
Do not forward the email to colleagues to ask if it is real, as this can spread the risk further.

Similar scams

Medium risk Email

Fake Invoice Email Scam

This scam emails an invoice or receipt for something you did not buy, hoping you call a fake 'support' number or click a link to dispute it.

High risk Email

Email Thread Hijacking Scam

This scam happens when attackers who have compromised a contact's mailbox reply within a real, existing email thread, using the genuine history to make a malicious link or attachment look trustworthy because it continues a conversation you recognise.

Medium risk Email

Fake DocuSign Email Scam

This scam sends a fake 'you have a document to review and sign' email with a 'View Document' link that leads to a credential-harvesting page or to malware instead of a genuine document.

Frequently asked questions

Can opening an attachment really infect my computer?

It can. Some files carry hidden code, and certain document types ask you to 'enable macros' or 'enable content', which can run that code. This is a common method used in scams, so unexpected attachments are best treated with caution.

What does 'enable macros' actually mean?

Macros are small programs that can run inside documents. They have legitimate uses, but scammers often disguise malware as a macro and ask you to enable it to 'see the document'. If a file you did not expect asks for this, it is wise to stop and verify first.

The email looks like it came from a supplier I know. Is it safe?

Not necessarily. Sender names and addresses can be faked, and real accounts can be hijacked. If an attachment is unexpected, it is safer to confirm directly with the supplier using contact details you already trust before opening it.

I opened the file but nothing happened. Am I fine?

Possibly, but malware often runs silently. As a precaution, run a full security scan, change key passwords from another device and keep an eye on your accounts. If anything seems off, seek help from a trusted IT professional.

Last reviewed: June 2026

Disclaimer: This page provides educational information only to help you recognise common scam patterns. It is not legal, financial, cybersecurity, or law enforcement advice, and it does not confirm whether any specific message, company, or person is genuine or fraudulent. When in doubt, contact the official organisation directly and report concerns to your local authorities.