I get a lot of spam. A lot. They’re instantly recognizable: the source number doesn’t look familiar and it’s attached to a message, so it’s clearly a phishing attempt, it’s insulting. But lately I’ve noticed an increase in a new type of spam, usually from an email instead of a phone number, with a blank text followed by an attached PDF. Whoever is behind these spam messages wants me and other recipients to open the PDF and hopefully tap on the hyperlink hidden inside.

If you find yourself in a similar situation, do this: Don’t open the PDF. It’s simply not worth the risk. While I haven’t seen any reports of these types of PDFs doing any damage on their own, it’s far from unheard of. Microsoft just put out a similar fire regarding its Follina vulnerability, a security hole that allowed attackers to execute PowerShell commands after a user opened a malicious Microsoft Office document. Yes, it is possible to compromise a user’s device using nothing more than a seemingly harmless file.

It’s not impossible to imagine a similar scenario with a malicious PDF sent via text message. If someone discovers an exploit in iOS or Android, they could create malware that could mess with your smartphone. Again, there are no reports of such an exploit, nor reports of malicious actors taking advantage of it with fake PDFs. But it’s always better to be safe than sorry.

So, as a best practice: Don’t open the PDF. But let’s say, for the sake of argument, that you did (oops). The PDF is likely to be filled with spammy text trying to sell you whatever half-baked pitch they think will grab your attention. Inevitably, there will be a link you can click, should you so desire. Don’t. Tap. The. Link.