Today's practical tech tip: turn on file name extensions so you can see what a downloaded file or email attachment really is before you open it.
This is a small setting, but it catches a lot of everyday trouble. A file named Invoice.pdf feels normal. A file named Invoice.pdf.exe is a very different story. If your computer hides the last part of the name, the dangerous version can look harmless at a glance.
For home users, this helps with fake delivery notices, tax forms, resumes, photos, invoices, and bank documents. For small businesses, it helps staff slow down before opening vendor attachments, payroll files, quote requests, scanner output, and anything that arrived from outside the company.
Why file extensions matter
A file extension is the part at the end of a file name after the final dot, such as .pdf, .docx, .xlsx, .jpg, .zip, or .exe. Microsoft explains that extensions help Windows identify the type of file and which app should open it. Apple has a similar Finder setting for showing all filename extensions on a Mac.
Attackers know people skim file names quickly. CISA specifically tracks double file extensions as a masquerading technique, where a file is named to make the real type less obvious. CISA also advises users to be cautious with email attachments, and the FTC warns that phishing messages often try to get people to click links or open attachments.
Turn it on in Windows 11
- Open File Explorer. The quick keyboard shortcut is Windows key + E.
- Select View in the toolbar.
- Choose Show.
- Turn on File name extensions.
- Open your Downloads folder and make sure files now show endings like .pdf, .docx, .jpg, or .exe.
Microsoft's official Windows guidance lists this same path: File Explorer > View > Show > File name extensions.
Turn it on in macOS
- Click the Finder icon in the Dock.
- From the menu bar, choose Finder > Settings.
- Click Advanced.
- Check Show all filename extensions.
- Look at a few files in Finder to confirm that endings such as .pdf, .pages, .jpg, or .zip are visible.
Apple's official Mac guide confirms this setting under Finder > Settings > Advanced.
What to watch for after you turn it on
Showing extensions does not magically prove a file is safe, but it gives you a better chance to spot something wrong. Slow down when you see these patterns:
- Double extensions: names like invoice.pdf.exe, shipping-label.docx.js, or resume.pdf.scr.
- Executable endings: files ending in .exe, .msi, .bat, .cmd, .js, .vbs, .ps1, or .scr, especially when they came through email or chat.
- Archive files from strangers: unexpected .zip, .rar, .7z, or password-protected archives can hide dangerous contents from basic scanning.
- Files pretending to be documents: a file icon may look like a PDF or spreadsheet, but the extension at the end matters more than the icon.
- Unusual sender pressure: anything that says urgent, overdue, final notice, new bank details, payroll correction, shared scan, or open immediately deserves extra checking.
A simple attachment-check routine
Use this routine for invoices, resumes, scanner files, vendor documents, legal paperwork, and anything unexpected:
- Check the sender first. Make sure the address is actually the person or company you expected, not a lookalike domain.
- Look at the full file name. Do not rely only on the icon or preview tile.
- Ask whether the file type makes sense. A PDF should end in .pdf. A Word document should usually end in .docx. A photo should usually end in .jpg, .jpeg, .png, or .heic.
- Do not open unexpected executables. If a vendor sends an .exe, .msi, script, or password-protected archive without prior agreement, verify it another way before opening it.
- Confirm through a known channel. Call a known number, use the vendor's saved contact, or open a known website manually. Do not use the phone number or link inside the suspicious message.
- Scan before opening when unsure. Save the file, scan it with your security software, and ask IT before enabling macros, running scripts, or installing anything.
The FTC's phishing guidance says not to click links or download attachments in unexpected messages, and to contact the company through a phone number, email, or website you already know is real. That advice applies just as much to small offices as it does to home users.
Small business setup idea
If you manage a small office, make this part of new-computer setup. Turn on file extensions on every workstation, then teach staff one rule: if the visible file type does not match what the sender claims it is, stop and ask.
This is especially useful for front desk computers, accounting machines, HR inboxes, shared scanner PCs, and anyone who handles customer-submitted files. Those users are more likely to receive attachments from people outside the company, which means they need the clearest possible warning signs.
Important cautions
- A familiar extension is not a safety guarantee. A real .pdf or .docx can still be malicious or can lead someone to a phishing page.
- Renaming a file does not convert it. Microsoft notes that changing a file extension changes the name, not the actual file format.
- Do not train staff to ignore warnings. If Windows, macOS, Microsoft Office, or the browser warns that a file came from the internet or may be unsafe, stop and check.
- Macros should stay suspicious. If a document asks you to enable macros or content before you can read an invoice, form, or resume, treat that as a red flag.
- One setting is not a full security plan. Keep backups, updates, email filtering, endpoint protection, and multi-factor authentication in place.
When to call an IT professional
Call for help if someone opened a suspicious attachment, ran an installer, enabled macros, typed a password after opening a file, or saw files suddenly rename themselves. Disconnect the affected computer from Wi-Fi or Ethernet if you suspect malware or ransomware, but do not wipe the machine before evidence and recovery options are checked.
For businesses, IT can also enforce extension visibility, restrict dangerous attachment types, review email filtering, set up safer defaults for Office documents, and make sure backups can actually restore files after a bad click.