Troubleshooting Guide: How to Fix False Positives (100% Click Rates)

If you’re seeing an unusually high - or even 100% - click rate on your phishing simulations, it almost always points to false positives. These happen when automated security tools click the links in your emails before they ever reach your users. This can still occur even if you’ve completed some whitelisting steps, especially when multiple layers of security are involved.

What are False Positives?


A Real Click is recorded when a real user (learner) interacts with a link.


A False Positive is when a security tool performs that action instead, often as part of automated link-scanning or threat analysis.

Common Causes of Automated Clicks


Automated clicks typically come from one or more of the following:

  • Email Security Gateways / Spam Filters: If our domains and IPs aren’t fully whitelisted.
  • Advanced Threat Protection (ATP): Features like link rewriting, URL sandboxing, or Safe Links can follow URLs automatically before delivery.
  • Endpoint Protection: Some antivirus or EPP tools perform their own link checks when the email lands on the user’s device.

How to Spot False Positives in Campaign Reports


You can typically confirm this behaviour by checking your campaign timestamps:

  • Key Indicator: If Delivered, Opened, and Clicked are logged simultaneously, or within a few seconds, it points to an automated scan.
  • How to View: Open the campaign report and select Expand Statuses to review the time stamps.

👉 Need help reviewing events? See the Reviewing Phishing Campaigns section in the Admin Dashboard Overview Guide.

How to Fix False Positives


To resolve automated clicks, the key is ensuring that our domains and IPs are trusted across every layer of your email delivery chain.


Step 1: Identify All Security Layers

  • Confirm if you are running any third-party email security (e.g., Mimecast, Barracuda, Proofpoint) alongside Microsoft 365 or Google Workspace.
  • Also, check for device-level antivirus/endpoint protection that might be scanning links.

Step 2: Double-Check Whitelisting

  • Ensure all required URLs, IPs, and domains are correctly allowlisted.

👉🏼 See our System-Specific Whitelisting Guides.

Step 3: Check External Logs

  • The logs from your external email gateway or security provider will give you the full picture of the email path, confirming where the automated click is happening. (We cannot access these from our side.)

Step 4: Run a Post-Configuration Test

After applying or updating whitelisting, run a small test to confirm everything is working:

  1. Target 2–3 users and ask them to confirm the following actions:
  • Received the email
  • Opened it
  • Clicked the link
  • Report it
  1. Check the report to confirm that opens and clicks now reflect genuine user behaviour.

Need help setting up the Phish Reporter? See our Phish Reporter Service Guide.

Step 5: Final Step (If Automated Clicks Continue)

If everything appears correctly configured and the automated clicks continue:

  • Contact your email security vendor and request that our simulation domains be added to their global allowlist. This is usually the most effective long-term fix when local whitelisting isn’t fully respected.

If you need a hand, reach out to our Support Team via email at support@goldphish.com.🚀🛠️

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us