Don’t trust unsolicited files or embedded links, under any circumstances.

It’s easy to spoof e-mail addresses, so that an e-mail seems to come from someone other than the real sender (who may in any case be a spam tool rather than a human being). Basic SMTP does not validate the sender’s address in the “From” field, though well-secured mail services do often include such functionality.
It is also possible for mail to be sent from your account without your knowledge, by malware, though malware that works in this way is far rarer than it used to be. It’s far more effective for a spammer to hire the services of a bot-herder nowadays, and malware that manages to infect your system doesn’t have to use your mail account or client software to send spam, scams and malware on to other victims.
There are many ways to disguise a harmful link so that it looks like something quite different, whether it’s in e-mail, chat or whatever. The disguising of malicious links in phishing e-mails so that they appear to go to a legitimate site has obligated developers to reengineer browsers to make it easier to spot such spoofing.
However, too many people forget to make use of elementary precautions such as passing the mouse cursor over the link so that the real link shows up. In any case, it’s not always easy to distinguish a genuine site from a fake site just from the URL, even if the URL is rendered correctly..
TRA Consulting
375 Redondo Avenue #153
Long Beach, CA 90814