Identifying and Addressing False Positives
If you are running a phishing campaign and see results that are unusual, you may be experiencing false clicks. When reviewing campaign results, if you see a 100 percent click rate or IP addresses that don't belong to your organization, this can be an indication of false positives. Below are some of the common reasons for false positives as well as some tips for handling them.
What Is Considered a Click?
Clicks are what we track when a user clicks on a phishing link in a simulated email. However, there are other ways a click may be registered. We refer to clicks that were not caused by a user clicking a phishing link as false positives. Listed below are some common reasons for false positives:
- Improper whitelisting of your spam filter. Improper whitelisting can cause automated clicks or bot clicks. To learn how to tell if your click was a bot click, please see our How to Identify Bot Clicks section below.
- Additional whitelisting may be required. Your spam filter may require additional whitelisting in order to exempt simulated phishing emails from link analysis or link probing.
- Mail filters with security add-on packs that have not been whitelisted.
- Endpoint security or antivirus software.
- Link preview functions as part of mobile device operating systems.
- Security software that is incorporated into mobile device management (MDM) systems.
- Phishing emails that are forwarded from one user to another user. This action may be registered as a click because the forwarded email was sandboxed and checked by the mail server or because the recipient of the forwarded email clicked on the link.
How to Identify Bot Clicks
Instances of improper or insufficient whitelisting can lead to a bot click. Bot clicks are caused by an automated process within your infrastructure. You can identify a bot click by examining your phishing campaign results. Listed below are some ways you can identify bot clicks:
- The times listed in the Delivered, Open, and Click columns are all the same or are within a minute of each other.
- The Clicked tab indicates the browser or browser version is one that is not used in your environment or is outdated.
- The operating system listed is one that your users don’t have access to in your environment.
- The IP address belongs to a provider of one of your security products.
Unexpected IP Addresses in Campaign Results
When a click is registered in the console, the IP address is registered from where the click originated. Below are some examples of why you may see unexpected IP addresses:
- If a user is on a mobile device and clicks on the link, the click could show as coming from the cellular service provider.
- If a user is on the Wi-Fi in their house, the click would register as being from an IP address from that internet service provider (ISP).
- If a user is on public Wi-Fi, the click would register from the location of where the user was when they clicked.
- If you or one of your products uses a hosted services provider, such as AWS, the IP address may come from another location or even another country. Certain link analysis processes may not occur on the client side, and the link may be passed to the security provider’s backend processing or analysis center.
- If the URL is sent to VirusTotal, the IP address may come from another location. This link may be sent automatically by a product you use or by your user. When a URL is submitted to VirusTotal, they analyze the URL to determine if it needs to be added to their threat definitions as hostile. Sometimes, this link analysis is instant. Other times, it may happen over the course of several hours. These IP addresses may register as a security vendor or they may register as an ISP.
How to Prevent False Positives
Knowing your infrastructure is the most important step for preventing false positives. Since there are a wide variety of security software products, you may want to check the documentation of the software or service providers that you use to see if there is a section about exempting links or domains from link scanning, link analysis, or link probing.
You can also run test campaigns with a couple of different templates on machines that would have the same setup as your users' workstations. These test campaigns can help you see if your current setup will cause false positives.
Make sure your users are only reporting emails via the Phish Alert Button and not the Microsoft 365 phishing button.
Check to see if your security products have the option of additional whitelisting. If you can, whitelist our phish link domains and our landing page domains. This extra step can help prevent false positives. To see a list of our root phishing domains, navigate to the Phishing tab in your KnowBe4 console and select the Domains subtab. For more information on the Domains subtab, see our How to Manage Phish Link Domains article.
If you are still experiencing issues with false positives, contact our support team and they will be happy to assist you.