FAQs and troubleshooting False Positives
Find out if your phishing campaign is picking up false positives and how to address them.
If your phishing simulation results appear to be incorrect or unusual, this may be due to SMPhish reporting false positives.
In this article you’ll find out:
- How a user’s response to a phishing simulation affects the risk score
- What false positives are
- What causes false positives
- What to do if your reports are picking up false positives
- Why there may be false positives for some users but not others
- About false negatives
How does a user’s response to a phishing simulation affect the risk score?
The SMPhish risk score indicates the user’s susceptibility to phishing attacks. A weighted total score is calculated based on the user's engagement with each of the simulations they’ve been sent, with “open” having a very low impact on the overall score for that user, and no impact if the user has reported the simulation as a phishing email after opening it using the Phish Alert Button.
“Visits” and “compromises” significantly impact the user’s risk score, however the impact of a “visit” is slightly reduced if the user has reported the simulation using the Phish Alert Button.
What are false positives?
A false positive in a phishing simulation is when a user is incorrectly flagged as having interacted with the phishing simulation, such as opening the email or attachment, clicking a link or inserting their credentials, despite not actually having performed that action. False positives cause inaccurate user performance results for phishing simulations, skewing the overall risk score.
What causes false positives?
False positives are mostly caused by automated or “bot" clicks. These are clicks that are performed by an automated security process that scans emails to ensure no malicious content gets through to users’ inboxes via email.
There are a number of reasons why you may be experiencing false positives from automated security processes.
Some of the most common reasons are:
- Incorrect or incomplete whitelisting of your spam filter
- Third party security filter add-ons
- Endpoint security or antivirus software
- Link preview functions
- Security software that is incorporated into mobile device management (MDM) systems
- Forwarding phishing emails to another user
What to do if your reports are picking up false positives
Set up Message Injection
Message Injection is the preferred delivery method for phishing simulations as it bypasses the need for allow-listing, reducing the chance of bot clicks, in turn reducing the possibility of false positives.
Ensure all allow-listing is set up and complete
For phishing simulations sent via SMTP, the complete allow-listing of IP addresses and domains helps ensure phishing simulation emails are not passed through link analysis which can cause automated bot clicks.
Check the settings of any email security services you are using
Double-check that the SiberMate domains have been added to your third-party exclusion lists.
Set up the Phish Alert Button
Some antivirus software monitors outgoing messages in addition to incoming messages. This means if a user forwards on a phishing simulation, a bot click can be triggered, resulting in a false positive. By setting up the Phish Alert Button, users can report suspected phishing simulations without forwarding the email.
Why are there false positives for some users but not others within the same phishing simulation campaign?
A common reason why false positives are triggered for some users but not others is the devices they are using to open the simulation emails. For instance, phishing simulations opened on mobile devices may have different security processing.
What about false negatives?
In cases where a user has engaged with a phishing simulation but their interaction hasn't been picked up in the performance report, the most common reason is because a preview function was used to view the attachment without actually opening it. If an Office 365 document was opened in protected view, this will not trigger an "open" or "compromise" either.