Problem

Phishing data timestamp discrepancies, particularly regarding the time an email is opened and when a link is clicked or the email is reported, can occur for several reasons when using platforms like ProofPoint and KnowBe4. These discrepancies often stem from technical limitations and the way these platforms track user interactions.

Network Latency

There can be a delay between when a user interacts with an email and when that interaction is recorded by the phishing simulation platform. This delay, while usually minimal, can sometimes cause timestamps to appear identical or very close together.

Batch Processing

Some phishing simulation platforms may process user interactions in batches rather than in real-time. This can result in multiple actions appearing to have occurred simultaneously, even if they were actually separated by a short time interval.

Time Zone Differences

If the phishing platform and the user's device are in different time zones, this can lead to apparent discrepancies in timestamps. It's crucial to ensure all timestamps are converted to a standard time zone (usually UTC) for accurate comparison.

Delayed Email Opening

It's possible the user actually opened the email on a different device or at a different time than initially thought. For example, the user may have previewed the email in a notification, reported it, and then officially "opened" it later on a different device.

Email Syncing Issues

If the user has multiple devices synced to the same email account, they might have opened and reported the email on one device (e.g., mobile phone), but this action wasn't immediately reflected on their primary device (e.g., desktop) due to syncing delays.

Platform-Specific Considerations

ProofPoint uses various detection methods, including URL tracking and image loading, to determine when an email is opened or a link is clicked. However, these methods can sometimes trigger simultaneously, leading to identical timestamps.

KnowBe4

KnowBe4's phishing simulations often use tracking pixels and specialized links to monitor user interactions. If a user's email client automatically loads images or prefetches links, this can cause the "opened" and "clicked" actions to appear to happen at the same time.