Email Phishing
      Back to home
      1. Knowledge Base
      2. Troubleshooting
      3. Email Phishing

      Troubleshooting - False clicks

      How to investigate a potential false click

      What is a false click?

      A false is where the CultureAI platform is showing that an employee has clicked on a simulated phishing link, but, the employee didn't actually click on anything.

      What causes a false click?

      Diagnosing the source of false clicks can be a complex process. Lots of elements come into play that could be causing false clicks. However, we've listed the most common causes below. Take a look at your set-up, and if any of the below are preformed, this is likely the cause of your false clicks;

      • URL Re-writing - This is a feature of various email security programmes. This will scan and check links in emails that come through. This scanning can sometimes register as a click. The fix for this varies, depending on your set-up and tools. Usually, allow listing, or excluding all the CultureAI IP's from URL scanning will fix this.
      • Fetching URL expansion - This is an email add-in that allows people to preview the website that links will take them to. They can hover over the link and it will show a screenshot of the website. The add-in will go into the link to fetch this screenshot from the link destination, which will register as a clicked. Excluding CultureAI phishing emails from this add-in will resolve this.
      • Post-received scanning/Safe links - Some security software (like Avast) will perform a scan of an email when a user opens the email, this can register as a click. Allow listing, or excluding all the CultureAI IP's from post scanning will fix this.
      • Reporting emails outside of the CAI reporting button - If users are using another reporting button, such as Microsoft’s reporting button or Googles, there’s a chance that the reporting function is scanning links and this is registering as a false click. 
      • Any email scanning software - There are lots of email security software out there, and some of them can cause false clicks while performing their usual checks.

      How to diagnose a false click, from a real click

      If you've looked through all the above possible causes, and confirmed that none of these are causing the false click, there are a few things things you can look at to help you decide.

       

      Click vs delivered time

      When you look at an employees click, you will see both the delivered time and the click time;

      Delivered time is when the email reached the employees inbox, Clicked is when the employee clicked on a link in the email.

      In the case of a false click, you should expect the click time and the delivered time to be the same, as any automated scanning actions that caused the click will happen within a few seconds of the email being delivered.

      If there is a difference between the time, this points towards it being a real click.

      This is the simplest way to determine if a click is real or not.

       

      Actions, access and context

      It's good to understand why the employee thinks this is a false click. 

      If they only say "I didn't click it", that isn't much information for you to go off, and doesn't help your investigation. You need to understand what actions the employee took around the time of the click, and why those actions point to a click being false or not.

      You should try and determine;

      • What were they doing at the time the click was recorded?
        Were they at work? On their lunch? In a meeting? While none of these prevent someone from opening their emails, it can contribute to why someone thinks a click is false
      • Do they have access to their work emails outside of their laptop?
        Such as a mobile phone? It's easier to miss click on a mobile phone, so they may not even be aware they did click on something
      • Did they take any non-standard actions with the email?
        Such as forwarding the email to a different inbox, or using email add-ins that could interfere with the mailflow? These could be the culprit if so, and it's good to determine why they take these actions

      How many people have reported false clicks?

      Usually, if something in your infrastructure is causing a false click, you should expect multiple reports of false clicks, as some automated action would be causing the click and this would be happening across several users.

      If only one employee has reported a false click, and you've received no further reports, it's much less likely that the click was false. 

      Coming to a conclusion

      When faced with a report of a false click, it can be difficult to decide what to do. 

      There isn't a way to 100% determine if a click was real or not, as you'd have to be watching employees at all times to determine that!

      It's always possible that an employee isn't being truthful, perhaps they feel embarrassed that they clicked, or they're not used to having their actions directly called out and are feeling defensive. 

      When coming to a conclusion on what to do next, you should consider how important accurate click stats are to your company, if employees will be negatively impacted by having clicks on their profile, and how strict you wish to be when it comes to security events being removed.

      You should look at all the information you have to hand about the click, and if that information leans towards the click being real, or not.

      Once you've made you decision, you can now choose how you'd like to act upon it.

       

      Inform the employee that you believe this is a true click

      Pull together all the information you have gathered, and explain this to employee. Ensure that you list out all your reasoning, and the steps you took to investigate clearly.

      They may not be happy with your conclusion, so you may want to plan in a escalation process to deal with any employees that won't accept your decision. 

       

      Implement a grace period for false clicks

      If you want to be more lenient with click reports, you could consider a grace period for false click reports.

      CultureAI admins have the ability to remove security events from employee profiles, including clicks. Please click here to see our guide on removing events.


      Setting up an internal process to deal with employee event challenges will help you deal with them smoothly.

      An example of this could be:

      • Employee raises a challenge through a dedicated form that includes details of the events they disagree with and the reason behind the challenge
      • A CultureAI admin reviews the events challenged
      • A decision is made regarding the challenge, you will need to decide if you agree with the employee, or disagree
      • The event is removed, or left in place
      • The challenge is logged to keep a clear database of how many times an employees has challenged something, and how many events have been removed for them