Sandi Hardmeier's blog is always an interesting read.
Today, she talks about the risks of desensitisation, and the tendency of human beings to trust email from certain sources.
I tell all my users, "Don't trust email attachments. From anyone, at any time." No exceptions. No "Unless you know/trust them."
Do not trust email attachments.
It's that simple.
Does that mean "do not use email attachments"?
No, it means that you should verify that any email attachment you receive is virus free, and that it was sent by the person you think sent it, and that you have a good reason to risk opening it. A phone call to the sender will verify that the attachment was sent, and what its purpose is, so that you can gauge its risk. A virus scanner will allow you to verify that it's virus free (as far as the most recent update of your virus scanner is concerned).
If you trusted the email attachment, you would do none of this, and simply open it. So, and I can't repeat this often enough, never trust email attachments.