PDF Files: Handy for Businesses — and Hackers

PDF files are the No. 1 type of file used in cyberattacks. Find out why hackers like to use them and how to protect your business.

Of all files that can be turned into cyberweapons, PDF files top the most-used list.  According to security researchers at Barracuda Networks, nearly 41 million PDF files were involved in cyberattacks in just a three-month period.

Given that PDF files are commonly used in the business world, it is important to protect your company against malicious ones.  To do so, though you first need to know how hackers can turn these seemingly inoffensive files into cyberweapons.

How PDF Files Can Go from Helpful to Harmful

PDF files do more than just display text and static images.  They can play animations and serve as electronic forms, for example.  This versatility is due to the inclusion of many advanced capabilities, such as the ability to execute system commands and JavaScript code on computers, smartphones, and other devices.  PDF files can also contain embedded files and hidden objects.  Cybercriminals like to use these advanced capabilities to create PDF files loaded with malware.

Hackers also like to exploit security vulnerabilities in the software used to open and display PDF files, such as Adobe’s Acrobat Reader and Acrobat programs.  By take advantage of the security vulnerabilities, cybercriminals can gain access to devices.

How to Protect Your Business

Outside of uninstalling or disabling PDF software, which would be impractical in today’s business environment, there are other measures you can take to protect your business.  They boil down to two elemental messages:  Employee Education and Maintained Updates and Patches:

  • Educate employees on the dangers of opening PDF files attached to emails, even if an email appears to come from someone they know. A hacker could be masquerading as the sender by spoofing the email address displayed in the “From” field.  Or a hacker could have hijacked the sender’s email account and used it to send a malicious PDF file to everyone in the person’s contact list.  Ensure you are expecting the email and it feels legitimate.
  • Warn staff about the dangers of downloading and opening PDF files they find on the internet.
  • Make sure the PDF apps (e.g. Acrobat Reader) and web browsers with built-in PDF readers (e.g. Microsoft Edge) are being updated so that known vulnerabilities are patched. You should also update PDF web browser extensions.  However, many extensions are not updated by their developers.  If that is the case, you might consider disabling or uninstalling them.
  • Verify the operating systems on your devices are being updated. This is particularly important on computers running Windows 10, since this operating system includes the built-in ‘Print to PDF’ tool.
  • Confirm that each device’s security software is being updated in case an employee inadvertently opens a PDF file that contains known malware.


Small Business