How to identify and address False Positives

If you are running a phishing campaign and see results that are unusual, you may be experiencing false clicks. Below are some of the common reasons for False Positives as well as some tips for handling them.

What is Considered a 'Click'?

'Clicks' are how we track when a user clicks on a phishing link in a simulated email. However, there are other ways a click may be registered, and we refer to those that were not caused by a user clicking a phishing link as 'False Positives'. Listed below are some of the most common causes.

  • Improper allowlisting of your spam filter. Improper allowlisting can cause automated clicks or Unexplained Clicks. 
  • Additional allowlisting may be required. Your spam filter may require additional allowlisting in order to exempt simulated phishing emails from link analysis or link probing. 
  • Mail filters with security add-on packs that have not been allowlisted.
  • Endpoint security or antivirus software.
  • Link preview functions as part of mobile device operating systems.
  • Security software incorporated into Mobile Device Management (MDM) systems.
  • Phishing emails forwarded from one user to another user. This click may be registered because the forwarded email was sandboxed and checked by the mail server, or because the recipient of the forwarded email clicked on the link.

How to Identify 'Unexplained Clicks'

Instances of improper or insufficient allowlisting can lead to an Unexplained Click, possibly caused by an automated process within your infrastructure. Listed below are some of the ways these Unexplained Clicks can be identified.  

  • The times listed for Delivered, Open, and Click columns all match or are within seconds of each other. Our Support Team can find this information upon request. 
  • The IP address belongs to a provider of one of your security products. Our Support Team can find this IP information upon request; however, this information is environment-dependent, and therefore isn't always available.

What Causes Unexpected IP Addresses?

  • If a user clicks on the link while on a mobile device, the click could show as having come from the cellular service provider. 
  • If a user is on the Wi-Fi at home, the click would register as being from an IP address from that Internet Service Provider (ISP).
  • If a user is on public Wi-Fi, the click would register from the location of where the user was when they clicked.
  • If you, or one of your products, use a hosted services provider, such as AWS, the IP address may come from another location or even another country. Certain link analysis processes may not occur on the client side, and the link may be 'passed' to the security provider’s backend processing or analysis centre. 

What Can I Do to Prevent False Positives?

Knowing your infrastructure is the most important step for preventing False Positives. Since there are a wide variety of security software products, you may want to check the documentation of the software or service providers that you use to see if there is a section about exempting links or domains from link scanning, link analysis or link probing. 

You can also run test campaigns with a couple of different templates on devices that would have the same setup as your users' workstations. These test campaigns can help you see if your current setup will cause False Positives. 

Make sure your users are only reporting emails via our Phish Plugin and not a different phish reporter, e.g. the Office 365 phishing button.

Check to see if your security products have the option of additional allowlisting. 

Back to all articles