Marking False Positives for Phishing Events

Learn how to mark your phishing simulation events as false positives.

With event based Phish reporting, the reality is that some software can yield false positive click events: which are the representation of one or more phish clicks that are NOT initiated by a person but instead via a software system. These false positives skew the cyber risk data for a company when they occur.  And, in most cases, these false positives result from whitelisting issues that cause a simulation email to be analyzed by a security tool, where the goal of the whitelisting was to avoid that interaction.

Therefore, we have added a new feature to the Phishing simulation app which is the ability to mark certain phishing events as false positives. This is a manual process requiring an administrator to select and delete suspected false positive events.

If a Member/Owner admin has identified an event that is a false positive, they can mark events as false positives individually or in bulk by navigating to the "Reports" item from the left sidebar and by clicking on the option "Simulation Events", once you are in the phishing simulation list: click on the "3 dots" icon next to each event and select the option "Ignore".   

This action will immediately mark the selected event as false positives and will be moved to a list called false positives that could be accessible from the route: .../event-details/false-positives/.

There are some cases where false positives will originate primarily from a few or a single IP address.  Within the Events section of the application, admins can search, sort and/or filter by IP address in order to help the ability to identify similar false positives, and simultaneously 'Ignore' them.

If an admin mistakenly marks an event as a false positive, they can undo the task by navigating to the false positives list and from the 3 dots icon select the option "Unmark False Positive".