Most malware requires user action–or a negligent user’s inaction–to make it onto a host system. Usually, scammers use a variety of tricks to get victims to download, install, and run malware on their computers or devices. Malware distribution is largely dependent on social engineering for this purpose.
Viruses and Trojans are often disguised as innocent email attachments in phishing emails. Users are tricked into downloading malware that poses as an invoice, form, image, or other document. Once on the user’s device, the malware either unpacks itself or waits for the user to attempt to open it before executing its code.
Links in phishing email scams or malicious Web sites
Often, phishing email scams try to direct victims to Web sites under the pretense of a threat (“your account will be disabled”), warning (“suspicious activity has been detected on this account”), or deal (“limited-time offer if you click now”). These links typically lead to malicious sites that download malware to the victim’s device when they load the page.
Malvertising, or malicious advertising, downloads malware to a victim’s device when the victim loads a Web page that displays the malicious advertisement. Malvertising is a pervasive problem because it is poorly controlled and can appear even on legitimate Web sites.
Infected storage devices
Some social engineers leave malware-infected thumb drives or other storage devices in public locations where they’re likely to be discovered. When someone plugs the storage device into a computer to determine its contents, malware in the device can transfer itself to the computer and infect it. Never plug suspicious or unknown storage devices into a computer.
All of these attack methods are made easier if a computer’s or device’s owner has not kept the software on the computer or device up to date. In fact, this is often how worms spread–taking advantage of system vulnerabilities before they can be patched.