In this article, you will learn about the False-Positive Phishing Evasion settings in the Phishing section of your KSAT console’s Account Settings. If you are running a phishing campaign and see unusual results, you may be experiencing false clicks. When reviewing campaign results, if you see a 100 percent click rate or IP addresses that don't belong to your organization, this can indicate false positives. The False-Positive Phishing Evasion settings can minimize incidences of false positives, giving you more accurate phishing campaign results. For more information about bot clicks, see the How to Identify Bot Clicks section of our Identify and Address False Positives article.

Enabling False-Positive Phishing Evasion Settings

We refer to phishing failures not caused by a user clicking a phishing link as false positives. If not resolved, false positives can cause phishing campaign results in your Phishing Security Test Reports to be inaccurate.

False-positive phishing evasion works by tracking when a hidden link in a sent Phishing Security Test (PST) is accessed. Phishing failures that occur after this hidden link is accessed are flagged and ignored if they occur within the configured Duration for Ignored Bot Failures. In addition, IP addresses for bot-associated failures and actual phishing test failures are compared by configuring the IP Address Match for Ignored Bot Failures setting.

You can enable and customize the False-Positive Phishing Evasion settings in the Phishing section of Account Settings. See the below screenshots and list for more information about the settings in this section:

1. Ignore Bot-Associated Phishing Failures: Select this check box to ignore bot-associated phishing failures that occur soon after a hidden link is accessed. When this setting is enabled, the Duration for Ignored Bot Failures and IP Address Match for Ignored Bot Failures options will appear.
2. Duration for Ignored Bot Failures: Here, you can select the amount of time after a hidden link is accessed that subsequent bot-associated phishing failures are to be ignored. The selections available are Conservative (5 sec), Balanced (10 sec), and Inclusive (30 sec).
3. IP Address Match for Ignored Bot Failures: You can select match criteria to ignore bot-associated phishing failures based on the IP address of the hidden link being accessed compared to the IP address of potential bot-associated phishing failures. The selections are No Match, First Two Octets, and Exact Match. The First Two Octets option will match IP addresses based on their Class B network identifier. For example, if the IP address is 54.70.53.60, it will look for IP addresses within the 54.70.0.0/16 subnet.

How to View Details of Ignored Bot-Associated Phishing Failures

After you have enabled the Ignore Bot-Associated Phishing Failures setting, ignored failures on your phishing tests can be viewed in the Users > Ignored Failures page on your phishing campaigns.

See the below screenshot and list for an explanation of the data located in this section:

1. Name and Email: This column displays the name and email address of the ignored bot-associated failure.
2. Date and Time: This column displays the date and time of the ignored bot-associated failure.
3. Bot Event Interval: This column displays the amount of time in seconds after a hidden link was accessed that subsequent bot-associated phishing failures were ignored.
4. Ignored Failure Type: This column displays the type of ignored bot-associated failure, in this case, “Clicked.”
5. IP Address: This column displays the IP address of the ignored bot-associated failure.
6. Browser: This column displays the browser used by the bot-associated failure, such as Chrome.
7. Browser Version: This column displays the browser version used by the bot-associated failure.
8. OS: This column displays the operating system used for the bot-associated failure, such as Mac.
9. Bot Events: This column displays the number of ignored failures for this user. Note that this counter stops at 5, and additional bot events won't update the rest of this row data. You'll see “5+” in the Bot Events column when this event occurs.
10. Convert to Campaign Failure (trashcan icon): When you select this icon, the console will convert ignored bot failures to phishing campaign failures. More information about how this feature works is explained below.
11. Preview (envelope icon): This icon, when selected, will show you a preview of the phishing campaign email.

How to Convert Ignored Failures to Actual Failures

You can convert ignored bot failures to actual phishing campaign failures if you believe a false negative has occurred. If you believe a user has failed a phishing test and the console shows an ignored failure event and not a phishing failure, then you can convert the ignored bot failure to a phishing campaign failure.

To complete this conversion process, follow the steps below:

1. In your KSAT console, go to Phishing > Campaigns, then select your phishing campaign.
2. Navigate to Users.
3. At the right side of the Users section, click Ignored Failure.
4. When you see an ignored failure you would like to convert to an actual phishing failure, click the trashcan icon on the right side of the screen.
5. You will be asked if you want to convert the bot event to a campaign failure, as you cannot undo this action.
6. Click the Confirm button.
7. An ignored failure can only be converted to a phishing failure once. The trashcan icon will be greyed out after the ignored failure is converted to a phishing failure.
8. The Ignored Failure Type will be visible after it is converted to a phishing failure. For example, in the screenshot below, the Ignored Failure Type is a Clicked type failure.