View Categories

Handling and Preventing False Positives

2 min read

When running a phishing simulation in PhishGrid, you might occasionally see unusual results—like a 100% click rate or clicks from unfamiliar IP addresses. These can be signs of false positives (clicks not caused by actual user interaction).

Below, we’ll explain what counts as a click, common causes of false positives, how to spot bot clicks, and steps you can take to prevent them.

What Counts as a Click in PhishGrid?

In PhishGrid, a click is recorded when someone opens a phishing link in a simulated email. However, not all clicks are from humans—security tools, email scanners, or link previews can also trigger them.

Common causes include:

  • Improper or incomplete whitelisting in spam filters, allowing automated link scanning.
  • Mail filters with security add-ons that probe links.
  • Endpoint security or antivirus tools.
  • Mobile OS link previews (e.g., iOS or Android).
  • Mobile device management (MDM) security features.
  • Forwarded phishing emails, where the recipient’s system or curiosity triggers a click.

How to Spot Bot Clicks

Bot clicks often happen within your infrastructure due to automated link scanning. Signs include:

  • Identical timestamps for delivery, open, and click events (often within a minute).
  • Browsers or OS versions not used in your environment.
  • IP addresses linked to your security product vendors.

Why You Might See Unfamiliar IP Addresses

Click IPs may not match your corporate network if:

  • A user clicks from mobile data or home Wi-Fi.
  • A click comes from public Wi-Fi.
  • Security tools process links on cloud infrastructure (e.g., AWS, another country).
  • Links are automatically submitted to VirusTotal or other security analysis services.

Preventing False Positives

To reduce false positives in PhishGrid:

  1. Review security software documentation for link-scanning or link-probing exclusions.
  2. Run internal test campaigns using workstations configured like your users’ devices.
  3. Encourage reports via the PhishGrid Report Button—avoid third-party reporting tools.
  4. Whitelist PhishGrid phishing and landing page domains in mail filters, antivirus, and proxy tools.
  5. Add extra whitelisting if your security tools support it.

If issues persist, our support team can help review your environment and recommend the best whitelisting practices.

Updated on August 13, 2025

Was this helpful ?

  • Happy
  • Normal
  • Sad
Signup for Free