Troubleshooting Guide: Showing 100% click rate on Phishing Tests ( False Positives)

Seeing an unusually high or 100% click rate in your phishing campaigns? It’s likely due to false positives. This often happens when links are "clicked" by bots, scanners, or automated systems ( like spam filters or antivirus software) rather than actual users. Let’s walk through why it happens and how to fix it.

Common Reasons for False Positives?


Clicks are what we track when a user clicks on a phishing link in a simulated email. But sometimes, those clicks come from tools - not humans. That’s what we call a false positive.


Here are some common culprits:


  • Spam filters or email security tools not properly whitelisted can cause automated clicks or bot clicks.
  • Advanced threat protection tools (like Safe Links) that scan links before delivery. 
  • Antivirus or endpoint protection checking links automatically.
  • Link preview functions as part of mobile device operating systems.
  • Security software that is incorporated into mobile device management (MDM) systems.
  • Phishing emails being forwarded from one user to another user. This action may be registered as a click because the forwarded email was sandboxed and checked by the mail server or because the recipient of the forwarded email clicked on the link.

How to Identify Bot Clicks


Improper whitelisting can lead to a bot click. Bot clicks are caused by an automated process within your infrastructure. You can identify a bot click by examining your phishing campaign report.


Listed below are some ways you can identify bot clicks:  

  • The email test shows as delivered, opened, and clicked actions happened all at the same time, or are within a minute of each other.
  • Emails are clicked before they're even opened.
  • High click or a 100% click rate across all users.

Need help reviewing timestamps? Visit our Monitor and Review Phishing campaigns.

Tracking Down Unexpected Clicks


Still seeing strange clicks? You might want to dig into your logs to find out what triggered them.


  1. Ask your IT team to pull message trace logs. These can show:
  • The route the email took
  • If the link was scanned or rewritten before delivery
  • Whether tools like Safe Links triggered the click
  1. Firewall or Proxy Logs
  • Look for outbound traffic to our phishing domains. You might spot which internal device, IP or service accessed the link and when.
  1. Email Headers

Full headers might reveal:

  • If the message was sandboxed or delayed
  • If the URL was changed or scanned
  • Which security tools were involved
  1. Try a Clean Test
  • Send a test to a clean machine (like a virtual machine or personal laptop without endpoint protection). If it works as expected, it’s a sign your security software is triggering the false clicks.
  1. Reach Out to Your Security Vendor
  • If you think a tool is pre-clicking links even after following the instructions using our whitelisting guides. We recommend reaching out to your security Vendor directly for further support on adding our domains to their allowlist.

How to Prevent False Positives


The best way to avoid false positives is to know how your organisation’s security setup handles emails. Since there are a wide variety of security software products, you may want to check the documentation of the software or service providers that you use to see if there is a section about exempting links or domains from link scanning, link analysis, or link probing.


Here’s what helps:


  • Double-check your whitelisting - Whitelist our sending domains and IP addresses on your mail server and any third-party filtering solution.
  • Additional whitelisting - Ensure your organisation has whitelisted across all relevant layers. Many systems (e.g., Microsoft Defender, Mimecast, Barracuda, Google Workspace) offer link checking or URL rewriting features and may cause links to be auto-clicked before reaching the user. These must be configured to allow or bypass our URLs to avoid pre-clicking.
  • Test first - Run test campaigns with a couple of different templates on machines that would have the same setup as your users' to see if your current setup will cause false positives. 
  • Reporting method - Make sure users report suspicious emails using your chosen method (e.g. Microsoft Report Button or manual forward) and not any third-party reporting feature.
  • Retest after whitelisting -Send a new phishing test to a small group (3–4 users). Check the results - are clicks still happening instantly, or only when users interact?

Check out these support guides:

Whitelisting technical Information

Whitelisting Basics

System-Specific Whitelisting Guides:


Questions? Feel free to contact us at support@goldphish.com.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us