But surely you can trust an email from a friend?
Yes and no. Maybe it really is from your friend, no if it's only pretending. I'll explain.
Here's what happens. Your friend visits a web site that installs software on his computer - this software gives complete control of his computer to a Bad Person. Or he clicks on an email attachment that does that. So now a Bad Person has control of your friend's computer.
The Bad Person can now email everyone on your friend's contact list. Or email everyone who your friend recently emailed (by checking the "sent email" folder). Or email everyone who emailed your friend. And that email comes from your friend's computer, has your friend's name and closing lines (signature) on it, and asks you to do whatever the Bad Person has in mind. Which is probably a Bad Thing.
There's another wrinkle to this. When you get that email (as do umpteen other people), you might realise that it didn't actually come from your friend, in which case you might email your friend and tell him that his computer has a problem. And then your friend will get rid of the trojan.
This, from the point of view of the Bad Person), is bad. So what I'm seeing now, is that the email to everyone on the contact list, is being done from *another* compromised computer. So if you just hit "reply" to tell your friend about the problem, it won't get to your friend. And the trojan survives to do more damage.
So even if an email seems to come from a friend, don't visit any suggested web site, and don't click on any attachments, until you are *sure* that your friend really did send it.