Accuracy is the backbone of any successful phishing simulation. However, security systems often "pre-click" links to test for threats, leading to bot clicks that can skew your data and create false positives. PhishProof’s Click Filter allows you to maintain the integrity of your results by identifying and excluding these automated security checks. Use this guide to learn how to identify bot activity, configure IP filters, and clean up your campaign data retroactively.

False Positives in Phishing Simulations

When sending phishing simulations, you may encounter false positives from security systems that test links in an email before it reaches the user's inbox. These are referred to as bot clicks. This function is a security measure to protect email recipients from malicious links, but it can cause false assessments and inaccurate results in phishing simulations.     

PhishProof's click filter helps prevent bot clicks from counting against users by excluding specific IP addresses or ranges from phishing simulations.

Location: PhishProof > Settings> Click Filter

Identify Bot Clicks

We recommend running a pilot test with a small group before sending phishing simulations to the entire company. Not only does it ensure the email is delivered to the recipient's inbox, but it also allows admins to verify results are accurate and address any sources of false positives before full deployment.

For good measure, we also recommend testing with different template types as emails with attachments or faux login pages may be handled differently than emails with links alone.

Many false positives can be addressed with the proper allow listing of PhishProof's domains to exempt them from link analysis by spam filters and other security filters and systems, but any sources of false positives not addressed during the allow listing process can be filtered out in PhishProof so long as you know the IP address(es).

There are multiple ways to identify bot clicks. Here are a few potential indicators:

• Feedback from the intended recipient(s) stating they did not click despite the console reporting a click.
• Clicks that occur for multiple users at the exact same or almost the exact same time.      
  (usually immediately after the email sends)
• The IP Address associated with the click belongs to one of your company's security products

To set up a Click Filter in PhishProof:

1. From within PhishProof, click Settings on the left side menu and select Click Filter
2. Click + Add IP Filter
3. Add the IPv4 address range in the text box using one of the following formats:
   1. Wildcard (example: 192.0.2.*)
   2. CIDR (example: 192.0.2.0/24)
   3. Start-End (example: 192.0.2.0-192.0.2.255)
4. Write a short description of the IP address range
5. Click + Add

PhishProof will now ignore clicks from hosts within the listed IPv4 address range(s).

Locate IP Address Information for a Campaign

To view the IP address associated with a link click, form submission, or attachment opening in PhishProof follow the steps below.

• From the Campaigns page, click the name of the campaign to view campaign details
• Navigate to the "User Details" tab
• Enable the "Show User IP Information" in the upper right.
• All recorded IP addresses will display for the campaign.
• To Export the IP information click the "Export Results to Excel" button above the IP Information toggle.

Add/Edit IP Addresses in Click Filter 

If clicks from a specific IP address or IP range have been identified as bot clicks these IPs can be added to PhishProof's Click Filter.       
Adding IPs to the filter prevents any clicks generated by these IPs from being counted in phishing simulations.

Location:     
PhishProof > Settings> Click Filter

To add an IP address or range of IP addresses to the click filter click the "Add IP Filter" button. 

Input the IP address or range of IP addresses in one of the formats specified in the pop-up and add a description.  Once this is complete, click "Done" to save your new filter.

Any clicks from the specified IP(S) will no longer count in future phishing simulations.  

If any clicks in previous campaigns belong to one of the filtered IPs they can be removed with just a couple more steps.

Remove Clicks  from Previous Campaigns

Location:     
PhishProof > Settings> Click Filter

To remove clicks from previous campaigns based on your current IP filters click the "Remove Susceptible Users Retroactively" button at the bottom of the page.

Any clicks from previous phishing simulations that are associated with an IP address that is included in the Click filter will display.  Select all the information you'd like to remove and when ready click the "Remove" button.     
Please note this action cannot be undone, so look over the selections carefully before confirming the removal.

All of the selected clicks will be removed from their respective campaigns and the user(s) will no longer display as having clicked a link during that campaign.