Troubleshooting Guide: False Positives
When administering phishing tests, you may find employees that fail tests, yet claim they did not click links or interact with landing pages. False positives are most commonly caused by cloud-based email security software. Security software, email clients, and even web crawlers used by search engines can 'click' links, which will register as clicks in testing data.
Identifying False Positives
Identifying false positives can be difficult. An employee may report that they did not click a link in a phishing test, but how can you be sure they are telling the truth? Every time a link is clicked our system will record it. This means if the email is forwarded and someone else clicks the link or if the link is clicked by 3rd party software as the email travels, the click will register to the email's recipient. As the emails travel from our servers to their destination it must pass through many networks, and may be scanned by security software and mail servers. These softwares will check the emails for malicious content and might click links in the email. These clicks however are not natural and can be identified and their IPs whitelisted.
Action Characteristics
If we find a recipient fails and has clicked a link in an email, or opened the email many times then the actions are likely false positives. If we see that the behaviour for a group of recipients looks identical, as in all recipients from a block of similar IPs open->click->view without deviation, that is a tell of false positives. If those actions for a recipient also happened at the same time that is another indicator. For example, if recipient 1 had 3 actions all at 3:01 pm, recipient 2 had 3 actions all at 3:34 pm and recipient 3 had 3 actions all at 4:00 pm, etc.
Software tends to interact with emails many times, whether it be for security or malice. If the behaviour recorded for a specific email in a campaign has many actions that do not look like typical human behaviour, then it is likely a false positive. Bot behaviour tends to look a certain way. Unnatural actions will occur on the same user at the same time.
Filtering False Positives
If we can identify the IP addresses, ranges, or blocks that are registering the false clicks (based on the characteristics listed above) with a certain amount of confidence, those IP addresses are auto-excluded from testing data.