A false positive is a recorded click by an IP address that is not done by a learner. It can be described as a 'false click' and displayed in your results as though the learner has clicked on a link when they did not. False positives can frequently show up in your Click Report and affect your overall click-through rate (CTR) if they are not removed from your results.
1. What is a click?
A genuine 'click' is when a learner has clicked on a link in a phishing email. 'False positives' or 'false clicks' are caused by a range of factors:
- Incorrect whitelisting of your spam filter or additional whitelisting is required
- Antivirus software or endpoint security
- Security software incorporated into mobile device management systems
- Link previews as part of mobile device software
- Phishing emails forwarded from one learner to another - the forwarded email was sandboxed and checked by the mail server
1a. Identifying automated Bot Clicks
A 'bot click' can be caused by an automated process within your technical infrastructure. This can be due to insufficient whitelisting. Bot clicks are noticeable in reporting due to their common characteristics:
- The times listed for 'clicked' or 'opened' are within a minute of each record
- The internet browser is not associated with your organisation
- The IP address is associated with your organisation's security products
2. Why are IP addresses not associated with our organisation appearing in the results?
The IP addresses that are listed in the results are recorded from the locations of the click. The click can be from a range of factors, such as:
- A business product may use a hosted service provider which may be located elsewhere domestically or internationally.
- The learner has clicked the link on a mobile device therefore the IP address may report to the cellular service provider
- The learner is using public Wi-Fi therefore the click may report from the Wi-Fi's location
- The learner is using their home Wi-Fi therefore the click may be from an IP address belonging to that internet service provider
3. How to identify the false positive 'clicks' from a phishing campaign
- Go to Dashboard > Click Report
- Select Campaign and the date range
- From the Action drop-down menu, select Clicked
- Select Apply Filters
The results are listed in alphabetical order of the Learners, however, you can filter the table by Timestamp to view the most recent entries. As you scan the results, similar entries may appear which indicate that you may have located some false positives in your results. In the example below, the timestamp is within seconds and the IP address is identical.
To confirm if they are false positives, utilise a Bulk IP Lookup tool to investigate the IP's origins. In the example above the IP address is listed as 'Microsoft-Corp-Msn-As-Block', and not the organisation ISP. Therefore this IP address range should be Excluded from the results.
4. What is the Exclusion List?
If you have located a false positive in your results, it should be added to your Exclusion List. This feature allows you to remove the false positives from your reporting with just a few steps. You will be able to exclude unwanted IP addresses and label them to easily identify where a user is clicking from.
5. What can I do to prevent false positives?
False positives are a common occurrence in reporting, however, there are steps you can implement to ensure you are reducing the amount that appears. To prevent false positives, first, you must understand the products and infrastructure in your environment.
- Check if your security products allow for the removal of link scanning, link probing, and analysis
- Implement additional whitelisting of our phishing domains (request this list from firstname.lastname@example.org)
- If suitable for your environment, implement Advanced Delivery Simulated Phishing Policy
- Create test campaigns on different internet browsers and workstations to identify which setup will likely cause a false positive result
- Routinely add IP addresses to the Exclusion list
If you are still experiencing false positives in your reporting, reach out to email@example.com for assistance.