When your users fail your phishing tests, we identify their location based on the public-facing IP address where their click came from and provide that information in your individual phishing campaign report.
How are locations determined?
We use a geolocation database to geolocate each user's IP address. This database is updated often, so the locations that are shown may vary over time.
At times, the locations you see may not be where your users are physically located. This is normal. The locations show where clicks were routed based on your system setup and any security services (such as an anti-virus or an outbound web filter) you have in place. Clicks may instead indicate the locations of where servers or data centers for those services are located.
Your users may have clicked within their proper geographical regions, but the security services that you have in place may have clicked afterward to inspect the links, for example. This would not just happen on our phishing tests, but also on any other email traffic in your system.
More information on our Maps and IP Geolocation can be found here: Monitoring and Reviewing Campaigns: Maps and IP Geolocation.