We do not use any AI writing tools. All our content is written by humans, not robots. See our editorial process.

Maybe, but probably not. This was a much bigger problem a decade ago, for reasons I’ll highlight below, but time and experience have resulted in patches for most email content-based threats. 

Hi, I’m Aaron! I’ve been in cybersecurity and technology for the better part of two decades. I love what I do and love sharing with you all so you can be safer and more secure. There’s no better defense against cyberattacks than education and I want to educate you about threats. 

In this article, I’ll describe some of the email-based attacks that used to exist and highlight why they’re no longer realistically effective. I’ll also try to anticipate some of your questions about this!

Key Takeaways

  • HTML in email facilitated attacks in the late 1990s and early 2000s.
  • Since then, HTML attacks by email have been largely mitigated by email service providers and clients.
  • There are other, more effective, modern attacks.
  • You can avert them by being smart about your internet use.

How Opening an Email Could Have Gotten You Hacked

The internet is built on a language called HyperText Markup Language, or HTML

HTML allows for the delivery of media-rich and flexible content quickly and efficiently. Web 2.0’s multimedia and security needs have brought that to its fifth iteration and all websites you visit today are delivered via HTML. 

HTML was introduced to email sometime in the late 1990s, though there doesn’t seem to be a canonical first date of use or first adopter. In any event, HTML-enriched emails are still in use today to deliver visually appealing emails. 

Here’s a great tutorial from YouTube about how to develop your own HTML-enriched emails.

One of the great things HTML facilitates is the ability to seamlessly load content inline from a source. It’s how dynamic webpage advertising works. It’s also how a specific kind of attack used to be implemented via opening an email.

There are two variations of this attack. One was opening an image where the local image decoder (the software that lets the image be displayed in a human viewable format) on your computer was responsible for decoding the image. That decoder would execute code delivered as part of that image decoding process. 

If some of that code was malicious, you’d be “hacked.” Certainly, you’d have a virus or malware

Another variant of that attack was delivery of malicious code through link delivery. Opening the email would parse the HTML file, which would also force opening of a link which, in turn, would deliver or execute malicious code locally. 

Here’s an excellent explanation of how that worked, via Youtube, and the entire channel is excellent for plain language explanations of technology concepts.

Why Don’t Those Attacks Work Anymore?

They don’t work because of how email is parsed by modern email clients. A few changes were made to those clients, including how images are processed and how HTML is implemented in email. By disabling certain features, email clients are able to easily and effectively secure their users. 

That doesn’t mean you’re safe! There are still many ways to deliver malicious content via email. In fact, email is the current single most effective entry for cyberattacks. Those changes simply mean that you can’t be “hacked” just by opening an email. 

You may, for example, open an email that prompts you to urgently open an attachment that is purportedly legal service, an overdue bill, or another urgent matter. It may also ask you to click on a link. Furthermore, it could ask you to send money to an address to receive some greater benefit. 

Those are all examples of common phishing attacks. Opening the attachment or clicking the link delivers malware (typically ransomware) to your computer. Sending money somewhere guarantees only that you’re out whatever money you sent. 

There are many other common attacks much more effective than HTML content attacks could ever deliver and which can’t readily be defended against by your email provider or client. 

Can My Phone or iPhone Get Hacked by Opening an Email?

No! For the same reasons above and a couple of additional reasons. Your phone’s email client is just that, an email client. It has the same restrictions on parsing HTML as do desktop email clients. 

Additionally, Android and iOS devices are a different OS than Windows devices, which most malware is coded to attack. Most malware targets Windows because of its prevalence in the corporate environment. 

Finally, Android and iOS devices partition and sandbox apps, only allowing cross-communication with permissions. So you may open an email with malicious code, but that malicious code won’t automatically infiltrate and infect other parts of your phone. It will be isolated, by design. 


Here are some answers to questions you may have about malicious content delivered via email.

Can You Get Hacked Just by Opening a Text Message?

Definitely not. Text messages are typically delivered in SMS, or Short Message/Messaging Service. SMS is plain text – it’s just the letters on the screen. Emojis, believe it or not, are just the implementation of Unicode. 

It’s how the phone’s operating system and messaging app translates specific strings of text into an image. That being said, iMessage was demonstrated to allow a “hack” by opening a message in 2019. 

I Accidentally Opened a Spam Email on My Phone

Close it! While not really a question, this is a real fear for many. If you open a spam email, it’s incredibly unlikely malicious code was downloaded to your phone. Delete the email and go on with your day. 

Can You Get Hacked by Opening a Website?

Yes! This is a fairly common attack where a threat actor sets up a spoofed website based on a common misspelling of a popular service or hijacks a legitimate website. HTML can freely execute code (if permitted) and if you visit a webpage where that’s happening, then you could get “hacked.”

How Can Someone Hack Your Email?

Security practitioners have made entire careers on this question–I won’t be able to do this justice here. 

Short answer: they have or guess your email password. It’s why most security practitioners recommend you use strong passphrases and enable multi factor authentication. If you find yourself the subject of an email hack, here’s a great YouTube video about how to discern that.


Simply opening an email could have gotten you “hacked” in the late 1990s and early 2000s. It’s very unlikely to do so today. Those vulnerabilities have been patched and there are far simpler and more effective attacks that still work today. Being smart and savvy are the best defenses to those attacks, which I discuss at length here.

What else do you do to keep yourself safe on the internet? Drop your favorite tactics in the comments!