Like so many of the things we have come to rely on, most people who use e-mail have very little idea how it really works. A full explanation of the protocols and processes involved is beyond the scope of this article, but I want to focus on a couple of misconceptions that get people into trouble.
When you send an e-mail, it is passed from system to system (where "system" can be a computer, router, switch, etc.), across the internet, until it reaches the mailbox of the person you sent it to. It waits in that mailbox, until the recipient connects to his mailbox and downloads it to his computer or reads it via a web interface. In most cases, the e-mail is passing through or waiting on systems that you do not control or own, and which could be monitored or even compromised by someone you do not know or trust.
Think of an e-mail as a postcard, not a sealed letter. If you were to send a postcard to someone, I would hope you would not write anything on it that you are not willing for the entire U.S. Postal Service staff, as well as any strangers that might "sneak a peak" while it sits in a mailbox, to read. Most of the time, this is not a big deal, because most strangers do not care about your plans for the evening or even your plans for a surprise party. However, there are several things you should NEVER send in an e-mail:
Basically, anything you would not write on a post card and hand to a stranger to deliver for you.
There is a technology, often called a "digital envelope", which makes use of dual key encryption to secure an e-mail so that only the intended recipient can read it. Most people agree, however, that this technology is not yet simple enough for widespread adoption by non-technical people.
E-mail protocols were developed years ago, before there was so much on-line fraud and digital identity theft. The basic protocols were developed without any real concern about people not being who they say they are. Consequently, it is very easy to fake an e-mail address. I can send an e-mail address from billgates@microsoft.com, georgewbush@whitehouse.gov, or even elvispresley@stillalive.com.
A common trick of internet viruses is to collect e-mail addresses on an infected computer, and then send itself out, using those e-mail addresses as both the TO and FROM addresses. This results in people getting e-mails that appear to be from friends, family, and business associates, but those "senders" did not actually send the e-mail, and may not even have the virus.
See also: how to recognize a virus
The bottom line is that you unfortunately must be suspect of any e-mail you receive, until you have verified that it was in fact sent by the person named as the sender. You can often do this by simply recognizing the writing style or facts in the e-mail. You should never open file attachments, though, unless you are absolutely sure of the sender and the contents / purpose of the file being sent.
E-mails can sometimes be traced through "headers", which are hidden lines inside the e-mail that describe where it came from and what path it took to get to you. Unfortunately, these headers can also be forged and altered, so there is no guarantee.
Once again, there is a technology available, known as a "digital signature", which uses dual-key encryption to verify the source of an e-mail. Hopefully, in the future, this technology or something similar will be simplified enough for widespread use by non-technical people.