You have just been caught by a phishing email.

The good news, this is only a test, run by the IT Department, so no harm has been done.
The bad news is that it was a relatively simple test, that you ought not to have failed.

The traps you fell into are genuine tricks that hackers use, and which could – and should – have been avoided.

First, for senders within Eton our email system will show the sender’s name, but it will show the full email address if the sender is external. This is to prevent hackers trying to impoersonate Eton staff. The email you received could therefore instantly be identified as external in its origin

Second, the email is from etoncolege.org.uk and not etoncollege.org.uk. Hackers will often use domains that are visually similar to real domains.

Third, if you hover your mouse over the link in the email it will show you the address you will link to. Instead of a real Sharepoint address (which is a long and complicated code) this email links to etoncolege.org.uk again.

Fourth, did this really seem like the sort of email the Head Master would send? It is not like the Head Master’s office to send an email without a greeting and sign-off; if a link is included, there would be an explanation of what it was for, like this genuine email below:

Finally, the alarm bells should have been ringing loud and clear when you saw files entitled “salaries” and “my CV,” and you should definitely NOT have clicked on them.