Troubleshooting Guide: Showing 100% click-through on phishing tests

Seeing a 100% click-through rate on your phishing test is almost always indicative of false positives, most commonly caused by email security systems pre-scanning or interacting with phishing emails before they reach end users. This usually points to a whitelisting issue.

Step 1: Understanding False Positives

False positives occur when automated systems (not end users) interact with phishing emails. This may include:

  • Automatic link scanning by secure email gateways (SEGs)
  • Pre-delivery or post-delivery email scanning
  • Anti-phishing or URL inspection tools that follow embedded links

These systems may “click” links to scan them for threats, which can lead to incorrect results in your phishing test reporting.

Common signs of false Positives:

  • Simultaneous actions: All users show identical open and click behaviour at the same time.
  • Unnatural patterns: Multiple clicks or actions recorded for a single user at identical timestamps (e.g., 3 clicks at 14:07:00).

Such patterns are highly unlikely to result from human interaction and are typical of automated scanners or security software.

Need help reviewing timestamps? Visit our Monitor and Review Phishing campaigns.

Step 2: Identifying the Cause

Confirm Whitelisting Is In Place

Ensure your organisation has whitelisted across all relevant layers:

  • Domains and IP's: Whitelist our sending domains and IP addresses on your mail server and any third-party filtering solution.
  • System-Specific Guidance: Many systems (e.g., Microsoft Defender, Mimecast, Barracuda, Google Workspace) offer link checking or URL rewriting features and may cause links to be auto-clicked before reaching the user.These must be configured to allow or bypass our URLs to avoid pre-clicking.

Useful Resources:

Whitelisting technical Information

Whitelisting Basics

System-Specific Whitelisting Guides:

Identifying False Positives

To identify false positives in test results, look for the following behaviour:

  • Simultaneous click actions: Actions for multiple users occurring at identical or evenly timed intervals
  • Unnatural interaction patterns: Multiple clicks or opens from users logged within the same second.
  • High click volumes: No users report the phishing test or flag emails despite a 100% click rate.

Such behaviour is highly unlikely to result from human interaction and is typical of automated scanners or security software.

Filtering False Positives

If we can identify the IP addresses, ranges, or blocks that are registering the false clicks (based on the characteristics listed above) with a certain amount of confidence, those IP addresses are auto-excluded from testing data.

Test Again

Once whitelisting has been updated,

  • Run another phishing test with a small group (3-4 users).
  • Review results to confirm if emails are delivered correctly and click-through rates reflect actual user actions.

Step 6: Still Seeing Issues?

If the issue persists, please contact our Support Team and provide the following:

  • Campaign name, company name, and test date.
  • Headers from one or more test emails received.
  • Details of your email gateway or filtering configuration.
  • (Optional) Screenshot or CSV export of the test results.
  • (Optional) Short Video of your settings.

We’ll help review your setup.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us