What is a false positive?
False positives in simulated phishing emails occur when recipients are mistakenly flagged as having interacted with the email, such as clicking on a link or replying, despite not actually engaging with it. This article aims to provide guidance on identifying and addressing false positives.
Identifying False positives
To spot false positives, review the results of the suspected phishing campaign. Detailed information about the campaign can be accessed by referring to our guide on reviewing a phishing campaign.
- Examine IP Addresses: Examine the IP addresses associated with the clicks to determine their source. Some clicks may originate from third-party perimeter protection services. In such cases, consider implementing appropriate allowlisting measures. You can find detailed instructions on allowlisting different systems in our Allowlisting Guides.
- Perform a DNS Lookup: Conduct a DNS lookup on the involved IP addresses to gather additional information. This lookup can provide valuable data, including geographic and ownership details, which can aid in identifying the root cause behind the false positive.
- Check the IP Map: Review the IP map and look for multiple clicks from unrecognised locations. This could indicate third-party services scanning and detonating email or attachment links, leading to false positives.
- Reporting Tools: False positives may also occur when using third-party reporting tools. When reporting a simulated phishing email, the email will be scanned by the third-party system. This can trigger the detonation of the links in the simulated phishing emails. Be aware of this possibility during analysis. To avoid this, we recommend using our reporting tool, the Phish Hook button.
What to do if there is a false positive?
If a recipient insists, they did not click on a link despite platform data suggesting otherwise, and you are confident about their claim, you can take the following steps:
- Investigate and Allowlist: Identify the system or service responsible for the false positives and implement appropriate allowlisting measures. To investigate the responsible system/service, you can conduct multiple test campaigns using different device setups to isolate the source accurately.
- Deleting Recipient Actions: By deleting the recipient's actions from the campaign, you can completely remove their actions from all areas of the Phishing Tackle platform. Please note that this action is irreversible. For instructions on how to delete recipient actions please refer to our support article how to delete recipient actions.