VirusTotal is one of the most respected security tools on the internet. Owned by Google (via Chronicle/Mandiant), it scans files and URLs against 70+ security vendor engines simultaneously. But when it comes to email analysis, VirusTotal has significant limitations that most users do not realize. This guide explains what VirusTotal can and cannot do for email security, and when to use a more specialized tool.
Need to check an email now? IsThisAScam.to is purpose-built for email analysis — paste the full message for comprehensive 6-layer detection.
What VirusTotal Does Well
File Scanning
Upload any file (up to 650MB) and VirusTotal scans it against 70+ antivirus engines. If an email attachment seems suspicious — a PDF, Word document, Excel file, or executable — uploading it to VirusTotal is an excellent first step. If multiple engines flag the file, it is almost certainly malicious.
URL Scanning
Paste a URL and VirusTotal checks it against 90+ URL scanning engines and blacklists. If a link in an email looks suspicious, this tells you whether any security vendor has flagged it.
Hash Lookup
For advanced users, you can check a file's hash (MD5, SHA-256) without uploading the file itself. This is useful for checking known malware signatures quickly.
Think it might be a scam?
Paste it here for a free, instant verdict.
Free · No signup required · Cmd+Enter to scan
What VirusTotal Cannot Do for Emails
It Cannot Analyze Email Content
VirusTotal has no interface for pasting an email body and analyzing the text for phishing indicators, social engineering patterns, or scam characteristics. You can check individual links from the email, but you cannot submit "This email says my Amazon account is suspended and I need to verify my identity" for analysis.
It Cannot Check Email Authentication
VirusTotal does not check SPF, DKIM, or DMARC results. These authentication checks — which reveal whether the email actually came from the claimed sender — are among the most powerful indicators of phishing. See our email header guide for how to check these manually.
It Cannot Detect Social Engineering
An email that contains no malicious links or attachments but uses social engineering to trick you into calling a fake phone number, replying with sensitive information, or making a wire transfer — VirusTotal cannot evaluate this. Many modern scams are "clean" from a URL/malware perspective but dangerous from a social engineering perspective.
It Cannot Detect AI-Generated Phishing
AI-generated phishing emails are grammatically perfect and may contain only legitimate URLs (like a real bank's website) — the scam is in getting you to call a fake phone number mentioned in the text. VirusTotal's URL and file scanning cannot identify these.
How to Use VirusTotal for Email-Related Checks
Despite its limitations for full email analysis, VirusTotal is valuable for specific email-related tasks:
Step 1: Check Suspicious Attachments
- Do NOT open the attachment
- Save it to your computer (without opening)
- Go to virustotal.com
- Click "Choose file" and upload the attachment
- Wait for the scan results (usually 30-60 seconds)
- If any engines detect malware, do not open the file
Note: be cautious about uploading sensitive business documents — VirusTotal shares submitted files with its security partners.
Step 2: Check Links in the Email
- Hover over the link to see the full URL (do not click)
- Copy the URL
- Go to virustotal.com > URL tab
- Paste and scan
- If multiple engines flag it, the URL is malicious
Step 3: Check the Sender's Domain
- Extract the domain from the sender's email address (the part after @)
- Search this domain on VirusTotal
- Check if it has been associated with malicious activity
Limitations of VirusTotal's Detection
- Zero-day threats: Brand new malware or phishing URLs may not be in any vendor's database yet. VirusTotal showing 0 detections does not guarantee safety.
- Evasive techniques: Sophisticated phishing sites may detect VirusTotal's scanning bots and show benign content to them while serving phishing pages to real users.
- Geographic cloaking: Some scam sites only serve malicious content to visitors from specific countries. VirusTotal's scanners may not trigger the malicious payload.
The Better Alternative for Email Analysis
IsThisAScam was built specifically for the email analysis use case that VirusTotal does not cover. Its 6-layer detection engine evaluates:
- All links in the email — checking domain age, SSL, and reputation (similar to VirusTotal, but in context)
- Email content patterns — identifying urgency triggers, social engineering language, and known scam scripts
- Sender analysis — evaluating the sender domain's reputation and configuration
- AI content detection — flagging AI-generated phishing text
- Threat database matching — cross-referencing the entire email against known scam templates
- Behavioral indicators — assessing whether the email fits known scam playbooks
Use VirusTotal for file scanning and individual URL checks. Use IsThisAScam for comprehensive email analysis.
For more email security options, see best email security tools and free phishing check tools.
Received something suspicious? Check it now for free →