Email clients and webmail commonly prevent images from being displayed by default. It is tempting to enable the images, especially if taking good security precautions already, such as avoiding downloading any attachments. So why exactly is it such a bad idea to enable images in email?

The problem is that downloaded images are frequently used to collect information about users and their computers. This is done by the email requesting the image to be displayed directly from the sender when it is opened, which means that they then forward this image to the user’s computer. This can give them the user’s IP address. The way that the image is processed by the system can also give information about the user’s computer to the sender, including information about the operating system, browser, and other useful information. This is the type of information which many users would rather keep private. Some people may think that if they are certain that the email is from a genuine recipient there is no problem in enabling the images, and this may be true most of the time. However, there is always the chance that an email from a malicious sender impersonating a trusted sender could slip through.

Some providers such as Gmail try to get around problems like the direct image sending by ‘prefetching’ the image to their own servers. This means that when a user opens the email containing the image, it is sent from Gmail’s servers and not the sender’s. This prevents any direct contact between the user and the sender, which in many cases can prevent the issues discussed above. However, not all mail providers use their own servers as proxies to download images, so it is worth keeping images disabled by default.

Therefore, as a general default setting, it is wise not to enable images to download in emails that you receive. By preventing information being compiled about your computer, you will leave yourself much less vulnerable to any kind of targeted hacking, which relies on finding out important information about potential victims and their computers in order to perpetrate a successful attack.