To ascertain whether a user has genuinely clicked a Phishing simulation link, or whether it has been automatically 'clicked' upon delivery by scanning software, check (within the Phish Overview Report) what time the email was delivered at (using the Delivery Time column), and then compare this against the time the click was registered within the Audits in the Phish Overview report.
If there is a difference of several seconds between these times, then this would be considered as a 'false' click. However, if there are several minutes/hours/days between the two, this would be considered as a genuine click by a user.