Trusted Clicks - Removing bot clicks from Analytics
Starting March 4, 2026, SoSafe will automatically filter out automated bot clicks from Phishing Simulation Analytics. If you notice that click rates on new campaigns appear lower than before, this article explains why and what it means for your data.
What are bot clicks?
Many organizations use email security tools - such as Microsoft Defender, Proofpoint, Barracuda, Mimecast, and others - that automatically scan links in incoming emails. When SoSafe sends a simulated phishing email, these tools may automatically "click" the links in the email as part of their security scanning process.
These automated clicks (sometimes called "ghost clicks" or "bot clicks") are not performed by real employees. They happen before anyone reads the email and can significantly inflate click rate metrics in your Analytics dashboards.
What is Trusted Clicks?
Trusted Clicks is SoSafe's detection system that identifies and filters out automated bot clicks from your Phishing Simulation Analytics. It works by analyzing click behavior patterns to distinguish between human interactions and automated security tool scans.
When Trusted Clicks identifies a bot click, that click is still recorded but filtered out of your reports. No data is lost – bot clicks are kept in the background so they can be referenced if needed. They simply won't appear in:
Analytics dashboards (click rate charts, KPIs)
Exported reports
Campaign performance summaries
All click metrics you see reflect genuine employee interactions only.
How does bot detection work?
SoSafe's bot detection system uses a honeypot-based approach combined with multiple behavioral signals to determine whether a click is automated or human.
Honeypot detection: Each phishing simulation email includes a hidden link that is invisible to human recipients but detectable by automated security scanners. When a scanner "clicks" this hidden link, the system identifies the source IP and flags all associated click events from that IP for the same email as bot-triggered.
Additional detection signals include:
Click timing patterns – Bot clicks typically occur within milliseconds of email delivery, far faster than a human could read and click.
Same-actor correlation – When a honeypot click is detected, all clicks from the same IP address for the same email within a short time window are flagged as bot activity.
Known bot signatures – SoSafe maintains a database of known email security tool behaviors and user-agent signatures (e.g., Microsoft Defender, GoogleImageProxy, HeadlessChrome).
Click source analysis – The system evaluates the origin of the click to identify automated security infrastructure vs. end-user devices.
The detection system uses a weighted scoring model. When combined signals exceed a confidence threshold, the click is classified as a bot click and filtered from analytics.
What changed and when?
Trusted Clicks filtering applies to phishing simulation data from March 4 onward.
Data from March 4 onward – Bot clicks are automatically filtered out. Click rates reflect human interactions only.
Historical data (before March 4) – Not affected. All historical reports, dashboards, and exports remain exactly as they were.
How does this affect my data?
After March 4, you may notice that click rates on new phishing simulation campaigns appear lower compared to historical campaigns. This is expected and is a sign that the data is now more accurate – it does not mean employee behavior has changed.
The magnitude of the change depends on your organization's email security setup. Platform-wide analysis shows that approximately 8% of all clicks are bot-generated on average, but this varies significantly:
Organizations with aggressive link-scanning tools (e.g., Microsoft Defender Safe Links, Proofpoint sandboxing) may see a larger decrease – in some cases well above 15%.
Organizations with lighter email security may see little to no change.
Example: If a campaign previously showed a 15% click rate and a portion of those clicks were from bots, the same campaign type would now show a lower click rate – reflecting only the clicks from real employees.
Frequently asked questions
Do I need to do anything to enable Trusted Clicks?
No. Trusted Clicks is enabled automatically for all customers. No configuration or action is required on your end.
Will my historical reports change?
No. Historical data, reports, and exports are not affected. The filtering applies only to data collected from March 4 onward.
Does this affect email open rates or other metrics?
Trusted Clicks specifically filters bot clicks on phishing simulation links. Open rate tracking and other engagement metrics are handled separately and are not changed by this update.
Can I disable Trusted Clicks?
Trusted Clicks is enabled by default for all customers and cannot be disabled. The filtering ensures data accuracy and is considered a core part of the analytics experience.
Does this affect compliance reporting?
Yes, positively. Compliance reports are now more accurate because they exclude inflated click data from automated tools. This gives you a clearer, more defensible picture of actual employee risk.
My email security tool is not listed above. Will it still be detected?
SoSafe's bot detection is not limited to specific security tools. The honeypot-based approach detects automated clicks regardless of the specific tool, so coverage extends to most common email security solutions.
I see a sudden drop in click rates starting March 4. Is this a bug?
No. A drop in click rates starting March 4 is expected and means the filtering is working correctly. The lower rate reflects genuine employee clicks with bot activity removed.