Phin Security

What Can Cause False Positive Phishing Results?

False positive phishing results can be caused by third-party email services inspecting links within emails, which can be identified by analyzing unusual time lapses between send and click times and checking if the IP addresses belong to non-end-user organizations, with prevention methods including following Phin's Allowlisting Guide and enabling the Ignore Third Party Service IP Addresses feature.

If your client uses a third-party email service, that service may be inspecting links within the customer's emails.

Preventing false positives

  1. 1.Follow Phin's Allowlisting Guide.
  2. 2.Enable Phin's Ignore Third Party Service IP Addresses feature (third-party email services include Microsoft, Google, Yahoo, etc.).

How to identify a false positive vs user click

  • Investigate the time elapsed between the send and clicked times. Unusual time lapses could indicate a third-party email service inspecting the link rather than a person clicking it. This can be viewed in the Phishing Analytics section of the portal.
  • Check if the IP address belongs to an organization that is not the end user.

How to identify false positive IPs

  1. 1.Go to Analytics > Phishing and click on the download icon in the lower right corner of the page.
  2. 2.Open the downloaded table and find the column that displays which IP addresses.

What doesn't count as a click?

  • Opening an email
  • Forwarding an email
  • Reporting an email as a phishing attempt