When administering phishing tests, you may find targets that fail tests, yet claim they did not click links or interact with landing pages. False positives are most commonly caused by cloud-based email security software. Security software, email clients, and even web crawlers used by search engines can 'click' links, which will register as clicks in testing data. Using a combination of PhishingBox internal tools and free third-party applications can help you identify false positives and ignore them in testing data.
Identifying False Positives
Identifying false positives can be difficult. A target may report that they did not click a link in a phishing test, but how can you be sure they are telling the truth? We have identified two discrete data points that may help you determine whether a failure is a false positive or not.
Every action registered in PhishingBox is geolocated. If an IP address registers an action, there is a DNS lookup performed that returns geolocation data on the IP address. The geolocation data for a campaign can be found on the campaign's details page or generated in a report. If the geodata for the action is far away from the physical location of the target, then the action was most likely a false positive. You can also get geodata for specific IP addresses using third-party DNS lookup tools.
If you find a target fails and has clicked a link in an email, or opened the email many times then the actions are likely false positives. Software tends to interact with emails many times, whether it be for security or malice. If the behavior recorded for a specific email in a campaign has many actions that do not look like typical human behavior, then it is likely a false positive.
If the actions are coming from user agents that known bots, then the actions are most likely false positives. You can use the following tool to look up the user agents to help determine if an action is possibly coming from a bot: https://user-agents.net/bots
If you believe an IP address is registering false positives, the best course of action is to do a DNS lookup on the IP address. There are many free DNS lookup tools available, such as who.is. They will relay geographic and ownership information for any IP address. Most cloud-based email security providers will have IP addresses registered for their company, and a DNS lookup will expose that information. However, this isn't always the case, and a DNS lookup, aside from the geographic location of the IP address, does not always provide useful information. There could be a number of entities registering false clicks on emails, ranging from email security software, antivirus, and email clients to bad actors that have obtained a user's login information or malicious bots that are listening to the inbox. Regardless, the DNS lookup is the best tool available to use to try to pinpoint the cause of false clicks. In the case of cloud-based email security software (the most common culprit), many providers list their IP ranges in their support documentation.
More often than not real clicks are going to come from the same IP address or geographic area of the target, if there isn't client-side software that is interacting with the emails, such as an email client or antivirus. If that is the case, then it may be useful to review the full user/agent data for the request that registered the action.
Filtering False Positives
If you can identify the IP addresses, ranges, or blocks that are registering the false clicks with a certain amount of confidence, those IP addresses can be excluded from testing data on the Account Settings page.