Bot Detection
Bot Detection
One of the most frustrating things in phishing simulations is seeing a 100% click rate when you know your users aren't that bad — or a 0% click rate when you're sure people should have clicked. Both usually come down to automated systems interfering with your simulation. This section explains how PhishGrid handles it and what you can do.
How PhishGrid tracks interactions
Clicks
When a user clicks a link in a simulation email, PhishGrid logs a click event with:
- Timestamp
- IP address
- Browser/OS (user agent)
Opens (views)
Emails are tracked via a 1×1 pixel tracking image embedded in the email body. When the recipient's email client loads the email with images enabled, the pixel fires and registers an "open" event.
Limitations of pixel tracking:
- Email clients that block remote images won't register an open until the user allows images
- Preview panes may or may not load images depending on client settings
- Privacy tools (Apple Mail Privacy Protection, etc.) pre-fetch pixels, making open rates unreliable
Open rates are a weak signal — focus on click rate and report rate as your primary metrics.
What is bot detection?
Security tools in your mail environment — gateways, antivirus, link scanners — often automatically follow every link in every email to check if it's malicious. When they follow a PhishGrid simulation link, it registers as a click. This is a false positive — the click came from a machine, not a person.
Bot detection is PhishGrid's system for identifying and filtering these automated clicks so they don't contaminate your results.
How bot detection works
Every time a tracking event is logged, PhishGrid analyses it and assigns a Tracker Score:
| Score | Meaning |
|---|---|
100 |
Valid user interaction |
0 |
Unprocessed — not yet classified |
-5 |
Potential false positive (bot activity) |
The system flags a click as a bot if it detects:
- The click happened immediately after delivery (within a configurable time window)
- The IP address belongs to a known cloud provider or bot network (checked via IP intelligence data)
Configuring bot detection
Go to Organisation Settings → PhishGrid Configurations to enable and configure bot detection.
Detection modes (time-based filtering)
| Mode | Duration | Best for |
|---|---|---|
| Conservative | 5 seconds | Environments with light security scanning |
| Balanced | 10 seconds | ✅ Recommended default for most organisations |
| Inclusive | 30 seconds | Environments with aggressive link scanning |
| Tolerant | 60 seconds | Very aggressive scanning environments |
The duration controls how long after delivery a click is treated as potentially automated. Any click recorded within that window is scrutinised more closely.
Start with Balanced. If you're still seeing obvious bot clicks (identical timestamps, strange IPs), move to Inclusive or Tolerant.
Manual review and correction
Even with bot detection enabled, you may need to manually review results:
- Update False Positive Status — re-runs the bot classification algorithm for the campaign. Use this after changing bot detection settings mid-campaign.
- Mark & Delete — manually flag specific hits as false positives and remove them from the results.
Access these options from the campaign detail view.
Common issues and fixes
"Everyone clicked immediately — 100% click rate"
Cause: Your mail gateway or endpoint security is scanning every link automatically.
Fix:
- Check your whitelisting — specifically Safe Links and URL-scanning settings
- Enable or increase bot detection sensitivity (move to Inclusive or Tolerant mode)
- Review the IPs in the click log — if they all belong to your security vendor or a cloud provider, it's automated
"Nobody received the email"
Cause: Simulation emails are being blocked or quarantined before reaching users.
Fix:
- Check the Microsoft 365 Quarantine Portal for blocked messages
- Verify all PhishGrid domains and IPs are whitelisted at every filtering layer
- Check if the sender domain is on a blocklist
- Ask a test user to check their spam/junk folder
"Links aren't working / redirecting incorrectly"
Cause: Safe Links or another URL-rewriting tool is modifying the PhishGrid tracking URL.
Fix:
- Add PhishGrid domains to the Safe Links "Do not rewrite" exclusion list
- Check any proxy or web filter for URL inspection rules affecting the simulation domains
"Some users show as clicked but say they didn't"
Cause: Click may have come from:
- Mobile link preview (iOS or Android automatically previews URLs)
- An email security add-in
- The user forwarded the email and the recipient's system scanned it
Fix:
- Check the click IP and timestamp — if it's within seconds of delivery or from a cloud IP, it's automated
- Use Mark as False Positive for confirmed bot clicks
- Review bot detection settings and increase the time window
"Open rate is 0% but click rate is high"
Cause: Apple Mail Privacy Protection or a similar tool pre-fetches the tracking pixel without showing the user opened the email, but separately follows the link.
Fix: This is expected with modern email clients. Treat it as a known limitation — the click rate is the reliable metric.
Getting help
If you've worked through these steps and still have unexplained results, contact PhishGrid support with:
- Your email gateway and security tool stack
- The campaign ID
- Screenshot of the affected click log entries (IP, timestamp, user agent)
- Your current bot detection configuration
You've completed the PhishGrid guide. Return to the Introduction for a quick recap, or jump to any section you need.