Don't trust unsolicited files or embedded links, even from friends.
It’s easy to spoof email addresses, for instance, so that email appears to come from someone other than the real sender (who/which may in any case be a spam tool rather than a human being). Basic SMTP (Simple Mail Transfer Protocol) doesn't validate the sender's address in the "From" field, though well-secured mail services do often include such functionality.
I remember years ago one of my colleagues at a medical research charity in the UK sent email as a joke using someone else's address, a trick that's easily performed using telnet and an unsecured mailserver. On that occasion, I was able to identify the real sender immediately by his IP address (much to his surprise), but the nature of the 21st century Internet means that there are many ways of concealing such information, if you really want to stay hidden.
It's also possible for mail to be sent from your account, without your knowledge, by malware, though malware that does this is far rarer than it used to be. It's far more effective for a spammer to hire the services of a botherder, nowadays.
There are also many ways to disguise a harmful link so that it looks like something quite different, whether it’s in email, chat or whatever. The disguising of malicious links in phishing emails so that they appear to go to a legitimate site has obliged developers to re-engineer browsers to make it easier to spot such spoofing, but too many people forget to make use of elementary precautions such as passing the mouse cursor over the link so that the real link shows up. In any case, it's not always easy to tell a genuine or fake site just from the URL, even if the URL is rendered correctly. (Early phishing emails tended to rely on exploiting bugs in popular browsers to hide the real target link.) DNS cache poisoning, for instance, allows an attacker to redirect a web query to an IP address under his control.
David Harley
Director of Malware Intelligence