Is it a Security Risk to Download Pictures in an Email?

We’ve had this question from clients who have experienced the aftermath of accidentally clicking a link in a malicious email. We’re betting there are more who have wondered and just haven’t asked!

If you subscribe to e-newsletters or receive emails from vendors, you’ve probably seen the option in Outlook to “Click here to download pictures.” By default, most companies’ systems are set up not to download images, and that’s the recommended best practice, mainly because images can eat up a lot of data storage space. That applies whether your email is hosted in the cloud (like Office365) or on-premises (like an in-house Exchange server). Either way, that storage has costs and limits.

As for whether downloading pictures in an email is a security risk, we asked our VP of Cloud and Technical Solutions, Toni Poole. She gave a classic Toni answer:

“It’s theoretically possible that photos can contain malicious code in order to exploit a vulnerability in the software that displays them, but…it’s pretty unlikely. Most of the time the click to view option in Outlook has more to do with marketing. Often when companies send out emails, the photos are sourced from a URL [web address] that allows them to track which users allowed the photos to be viewed in the mail client. In this way they can gauge the effectiveness of the emails.

So again, yes, in theory it’s possible, but sort of along the lines of it being theoretically possible that it’ll be sunny and 80 out tomorrow, but I won’t be wearing flip-flops in anticipation.”

There you have it. If the message is from an email address you know and trust, downloading those pretty pictures generally does not carry the same level of risk as clicking a link. If you’re ever in doubt, err on the side of caution and just don’t do it.