Skip to main content
All CollectionsuPhishTroubleshooting
FAQs and troubleshooting False Positives
FAQs and troubleshooting False Positives

Find out if your phishing campaign is picking up false positives and how to address them.

Anna Cunningham avatar
Written by Anna Cunningham
Updated over 3 months ago

If your phishing simulation results appear to be incorrect or unusual, this may be due to uPhish reporting false positives.

In this article you’ll find out:

How does a user’s response to a phishing simulation affect the risk score?

The uPhish risk score indicates the user’s susceptibility to phishing attacks. A weighted total score is calculated based on the user's engagement with each of the simulations they’ve been sent, with “open” having a very low impact on the overall score for that user, and no impact if the user has reported the simulation as a phishing email after opening it using the Phish Alert Button.

“Visits” and “compromises” significantly impact the user’s risk score, however the impact of a “visit” is slightly reduced if the user has reported the simulation using the Phish Alert Button.

What are false positives?

A false positive in a phishing simulation is when a user is incorrectly flagged as having interacted with the phishing simulation, such as opening the email or attachment, clicking a link or inserting their credentials, despite not actually having performed that action. False positives cause inaccurate user performance results for phishing simulations, skewing the overall risk score.

What causes false positives?

False positives are mostly caused by automated or “bot" clicks. These are clicks that are performed by an automated security process that scans emails to ensure no malicious content gets through to users’ inboxes via email.

There are a number of reasons why you may be experiencing false positives from automated security processes.

Some of the most common reasons are:

  • Incorrect or incomplete whitelisting of your spam filter

  • Third party security filter add-ons

  • Endpoint security or antivirus software

  • Link preview functions

  • Security software that is incorporated into mobile device management (MDM) systems

  • Forwarding phishing emails to another user

What to do if your reports are picking up false positives

Set up Message Injection

Message Injection is the preferred delivery method for phishing simulations as it bypasses the need for allow-listing, reducing the chance of bot clicks, in turn reducing the possibility of false positives.

Ensure all allow-listing is set up and complete

For phishing simulations sent via SMTP, the complete allow-listing of IP addresses and domains helps ensure phishing simulation emails are not passed through link analysis which can cause automated bot clicks.

Configure Microsoft Advanced Delivery

If you're using Microsoft 365, set up Advanced Delivery to bypass spam filtering and ensure simulated phishing emails reach user inboxes.

Check the settings of any email security services you are using

Double-check that the usecure domains have been added to your third-party exclusion lists.

Set up the Phish Alert Button

Some antivirus software monitors outgoing messages in addition to incoming messages. This means if a user forwards on a phishing simulation, a bot click can be triggered, resulting in a false positive. By setting up the Phish Alert Button, users can report suspected phishing simulations without forwarding the email.

Why are there false positives for some users but not others within the same phishing simulation campaign?

A common reason why false positives are triggered for some users but not others is the devices they are using to open the simulation emails. For instance, phishing simulations opened on mobile devices may have different security processing.

What about false negatives?

In cases where a user has engaged with a phishing simulation but their interaction hasn't been picked up in the performance report, the most common reason is because a preview function was used to view the attachment without actually opening it. If an Office 365 document was opened in protected view, this will not trigger an "open" or "compromise" either.


Did this answer your question?