A user with a supervisor role or higher can download an export of the simulation campaigns conducted in the "Statistics > Phishing Report" section.
The global report is updated to the latest completed campaign.
The following information visible in the downloadable Phishing report from the platform can help identify bot clicks:
-
Phished browser: If the browser indicated or its version is not used in your environment or is outdated, it might suggest an automated click.
-
Operating system not accessible by users: If the operating system indicated in the report is not accessible to users within your environment, it might indicate an automated click.
-
IP address: If the IP address belongs to a provider of one of your security products, it could be a sign of a click generated internally by a security tool.
What causes unexpected IP addresses in campaign results?
When a click is recorded by Cyber Guru, the IP address from which the "click" originates is logged. Below are some examples of why you might see unexpected IP addresses:
-
Mobile devices: If a user clicks on a link using a mobile device, the IP address might reflect the user's cellular service provider.
-
Home network: If the user is connected to their home Wi-Fi network, the click will be recorded with the IP address provided by the home's Internet Service Provider (ISP).
-
Public networks: If the user connects to a public Wi-Fi network, the recorded IP address will relate to the user's physical location at the time of the click.
-
Using hosting services like AWS: If the user or their services use a hosting service provider, the IP address might come from a different location, sometimes even from another country. Some link analysis processes might not occur on the client side, and the link might be "passed" to the security provider's backend processing or analysis center;
-
Analysis through services like VirusTotal: When a URL is sent for analysis to VirusTotal, the recorded IP address can come from a different location. This process can be automatically triggered by a security product used or by the user themselves. When a URL is sent to VirusTotal, it analyzes the URL to determine if it should be added to threat definitions as hostile. Sometimes link analysis is immediate. Other times it can occur over several hours. These IP addresses can be recorded as security providers or as ISPs.