Skip to main content

Reading is great. Tracking makes it stick. Sign up for a free Dashboard to tick off tasks and see your Security Score.

Get my free Dashboard →
MalwareHigh priority

Never open unexpected email attachments or links

Treat any unexpected file attachment or link — even from someone you know — with suspicion before you click.

Why this matters

The majority of ransomware and malware infections begin with a phishing email. Pausing before clicking is free and highly effective.

How to do it

  1. Before opening an attachment or clicking a link:
  2. Were you expecting this email?
  3. Does the sender's address look genuine (not spoofed)?
  4. Hover over the link — does the URL match what is displayed?
  5. If in doubt, contact the sender by phone to verify
  6. Report suspicious emails to your email provider or IT team

Need a more detailed walkthrough?

Our step-by-step guide explains each action in full detail, with confirmation steps and related tasks.

View full step-by-step guide →

Cyber Essentials framework

This task falls under the Malwarecontrol, one of five areas assessed in the UK's Cyber Essentials scheme. Completing it counts toward your Cyber Essentials alignment. Create a free account to track your progress across all five areas.

Frequently asked questions

How do I tell if an email link is genuine?

Hover your mouse over the link: the actual web address it points to appears at the bottom of your screen. Check that the domain matches the organisation it claims to be from. For example, a genuine Amazon link will go to amazon.co.uk, not amazon-security-notice.net. On a phone, press and hold the link to preview the URL before tapping it.

Can an email be dangerous even if I do not open any attachments?

Opening the email itself is usually safe in modern email apps. The risk comes from clicking links or downloading attachments. Some highly targeted attacks use tracking pixels embedded in emails, but this risk is low for most people.

What should I do if I accidentally clicked a phishing link?

Do not enter any information on the page that opens. Close the tab immediately and run a quick virus scan. If you did enter a password, change it immediately on the legitimate website, then add two-factor authentication. If it was a banking link, call your bank directly.

Where can I report phishing emails in the UK?

Forward suspicious emails to report@phishing.gov.uk (the NCSC's free reporting service). Your email provider also has a "Report phishing" option (in Gmail, click the three-dot menu on the email). Reporting helps get phishing sites taken down faster.

On an Android phone? How to spot phishing on Android

Track your security score for free

Create a free Cyber Nova AI account to tick off tasks like this one, see your Security Score, and stay on top of what you've done and what's still to do.

Start your free security check