What Can Cause False Positive Phishing Results?
False positive phishing results can be caused by third-party email services inspecting links within emails, which can be identified by analyzing unusual time lapses between send and click times and checking if the IP addresses belong to non-end-user organizations, with prevention methods including following Phin's Allowlisting Guide and enabling the Ignore Third Party Service IP Addresses feature.
If your client uses a third-party email service, that service may be inspecting links within the customer's emails.
Preventing false positives
- 1.Follow Phin's Allowlisting Guide.
- 2.Enable Phin's Ignore Third Party Service IP Addresses feature (third-party email services include Microsoft, Google, Yahoo, etc.).
How to identify a false positive vs user click
- Investigate the time elapsed between the send and clicked times. Unusual time lapses could indicate a third-party email service inspecting the link rather than a person clicking it. This can be viewed in the Phishing Analytics section of the portal.
- Check if the IP address belongs to an organization that is not the end user.
How to identify false positive IPs
- 1.Go to Analytics > Phishing and click on the download icon in the lower right corner of the page.
- 2.Open the downloaded table and find the column that displays which IP addresses.
What doesn't count as a click?
- Opening an email
- Forwarding an email
- Reporting an email as a phishing attempt