"No one you know is sending you an attachment you should open. If someone you know does send you an attachment without you expecting it, contact the person and make sure it was meant for you. In every other case, trash the mail. It's a weapon."
The scary thing is even companies that should know better will still send real emails with links to their customers. Before I dropped Paypal, I can't count how many times I tapped them on the shoulder to tell them that their official email looks no different than spam and a better approach would be to not include any links. Did they really want people that were so clueless that they couldn't type the company URL into a web browser and click the tab for the latest news? If all companies that legitimately wanted a customer to log into their account to verify something just sent an email asking them to do that with no links and no dynamic content, scammers would lose a lot of hooks.
As far as people I know sending me links, they've pretty much learned that if they don't tell me they are sending me something in advance, it just ends up in the trash. Anything I send is always in follow up to something we've talked about. Files I send to customers come from my domain and I point that out to them so if they see something claiming to be from me and the URL isn't my domain, they shouldn't open it without talking to me first. The probability is 99.999999999999% that it's a phishing attempt as I don't send things via any outside service. That might change in the future, but I'd work really hard so it didn't.