How to Detect Mouse Jigglers and Activity-Mimicking Tools in ActivTrak

ActivTrak's workforce analytics platform helps organizations optimize productivity and performance through data-driven insights. Our comprehensive false activity detection capabilities ensure the accuracy of your productivity analytics by identifying potential artificial inputs that could impact your data quality.

ActivTrak's comprehensive activity detection capabilities combine pattern recognition, software identification and duration analysis to deliver actionable insights. Once enabled, these three detection methods work together to identify potential artificial inputs and help maintain data quality. The system flags activities that may require investigation—such as unusual patterns from USB devices or software tools—empowering you to make informed decisions based on reliable productivity data.

Learn more in the sections below:

Understanding activity-mimicking detection capabilities

Setting up out-of-the-box alarms to detect potential false activity

Best practices for investigating PFA alarms

Best practices for responding to PFA alarms

Understanding activity-mimicking detection capabilities 

ActivTrak takes a unique, three-layered approach to software detection, pattern recognition and duration analysis:

• Software Detection identifies known mouse-jiggling applications
• Pattern Recognition detects both software and hardware-based repetitive behaviors
• Duration Analysis flags abnormally long periods of activity in the same window or tab

Each of these is key to determining if and when an employee may be using a device or software that makes it look like they’re working when they’re not. While other solutions on the market offer basic detection capabilities, ActivTrak goes further by providing investigation and response support so you act on insights. No other solution on the market offers this multi-layered approach.

Setting up out-of-the-box alarms to detect potential false activity

All ActivTrak paid plans have access to three out-of-the-box alarms. These alarms are turned off by default — simply toggle them on to be alerted when suspicious activity warrants investigation. New tools are constantly being introduced, so using all three alarms helps you detect the different methods employees might use to mimic activity.

Enabling PFA alarms 

To enable any of these alarms and be alerted immediately of potential mouse jigglers or other activity-mimicking tool usage:

• Navigate to Alarms > Configuration.
• Switch the alarm toggle on. 
• Set your desired actions

Input Simulation Software Detected 

Turn on this alarm to be alerted when an employee may be using software, such as a mouse jiggler, that simulates user activity. This alert detects most instances of simulation software and has a very low false positive rate, since ActivTrak identifies their presence on the computer's operating system.

The input simulation alarm tells you when software has been loaded onto an employee’s device, but not necessarily when it's used. It's available for ActivTrak Agent 8.2.16 and later versions and automatically identifies known mouse-jiggling applications on Windows and macOS platforms. In addition, you can set a limit for how many notifications ActivTrak sends to your team each day to avoid alert fatigue.

To configure the Input Simulation Software Detected alarm:

1. Activate the Alarm.
2. Select the user groups to which this alarm will be applied. 
3. Set email notifications to On. (If you do not want to receive notifications leave this setting off. The alarm will be logged when triggered but no email will be sent.)
4. Enter the email address of the manager or executive that should be notified.
5. Optional: Add MS Teams, Slack or other (webhook) notifications.
6. Optional:  If Screen Details are available, turn Screen Captures on and make sure “Single Screenshot” is selected.
7. Do not select the “Terminate” option.
8. Click Save.

High Duration Activity Detected

Turn on this alarm to be alerted when a user spends longer than 45 minutes on a single screen. Because it’s extremely rare for an employee to work on the same screen for 45 minutes or more without switching to another tab or going passive, this alert indicates a strong likelihood someone is using software or a device to mimic activity.

The high duration activity alarm is designed to flag abnormally long, same-tab sessions based on ActivTrak’s analysis of 9,500+ customers’ employee activity over the course of several years. It defaults to 45 minutes but can be configured for different thresholds if you have employees whose work is limited to a specific application for longer periods of time.  

To configure the High Duration Activity Detected alarm:

1. Activate the Alarm.
2. Select the user groups to which this alarm will be applied. 
3. Set the email notifications to On. (If you do not want to receive notifications leave this setting off. The alarm will be logged when triggered but no email will be sent.)
4. Enter the email address of the manager or executive to be notified.
5. Optional: Add MS Teams, Slack or other (webhook) notifications.
6. Optional:  If Screen Details are available, turn on Screen Captures and select “Multiple Screenshots.” 
7. Do not select the “Terminate” option.   
8. Click Save.

Repetitive Activity Detected

Turn on this alarm to be alerted when uniform, repeat patterns that do not look like natural human behavior are detected. This might include keys being held down, clicks being repeated at regular intervals or repetitive mouse movements.

The repetitive activity alarm detects both software and hardware-based patterns on Windows devices, and is unique to ActivTrak —  no other solutions on the market offer this type of detection. As with all alarms, it’s a signal to investigate further and find out what your employee is doing.

To configure the Repetitive Activity alarm:

1. Activate the Alarm.
2. Select the user groups to which this alarm will be applied. 
3. Set the email notifications to On. (If you do not want to receive notifications, leave this setting off. The alarm will be logged when triggered but no email will be sent.)
4. Enter the email address of the manager or executive to be notified.
5. Optional: Add MS Teams, Slack or other (webhook) notifications.
6. Optional:  If Screen Details are available, turn on Screen Captures and select “Multiple Screenshots.” 
7. Do not select the “Terminate” option.   
8. Click Save.

Best practices for investigating PFA alarms

It's important to view PFA detection data within the context of broader productivity trends. ActivTrak provides several tools you can use to investigate further. Follow these best practices when investigating  notifications: 

1. Review The Alarm logs

Click on the link included in the alarm notification or go to Alarms>alarm log to get the basic information included in the alarm. You can also filter by user and alarm type to see how often this alarm is triggered. 

2. Review The Activity Log 

Go to Live Reports > Activity Log and select the time when the alarm occurred. Look to understand the context of what happened before and after the alarm was triggered.  Does the activity look normal or is the alarm associated with a long period of strange activity?  Which software was being used before the alarm was triggered?  

Select a time frame (we suggest the last 30 days) and type the words “artificial input” in the box just below the ‘Description’ column header. Filter further by a specific user if desired. This filters all recent occurrences of potential false activity ActivTrak was able to detect from both hardware and software. 

3. Examine the productivity patterns 

Go to Live Reports > Top Users and Groups or Live Reports > Productivity, select the date in question and set the interval to a minimum of 5 minutes in the timeline charts at the bottom of the page. 

When ActivTrak detects a repetitive input pattern, the active state of the activity ends and it begins recording as passive time. Then, after the 20-minute default, it switches to inactive per your passive time setting unless a legitimate input is detected again. This means that if the user is attempting to mimic activity with something that creates a regular input pattern, it would typically present as low Productive Active Time in reports. This can be identified as white “gaps” in the timeline.

4. Analyze screenshots 

If you have access to screen captures, managers can review them to assess what happened when potential false activity was flagged. Many customers who require further investigation find it helpful to create custom multi-screenshot alarms for specific users who are repeatedly triggering a Potential False Activity log. The ability to see how the computer screen changes (or doesn’t) during one of these events can be extremely useful to an investigation. While not all accounts may have the Screen Details Add-on, it is the best way to obtain what may serve as “proof” a user is not working, if required.

5. Examine patterns with the risk level reports

The risk level report saves time and provides investigators with insights without the need to filter or download data. The risk level report is available to Customers on the Essentials, Essentials Plus, Advanced, Professional and Premium plans. 

• Go to Alarms > Risk level and Select the user in question to see the user alarm history and learn how commonly their alarm gets triggered. You can compare this user to others and easily determine how this user's alarm patterns compare to your team’s norm.

If you have an advanced ActivTrak plan, use the risk level report to see how frequently an alarm is triggered for individual users, and to identify employees with recurring issues.  

6. Gain advanced insights and easy trend view with a customizable BI template

Customers with ActivConnect can install the Potential False Activity Analysis Template. You can then use this to detect and analyze potential false activity patterns across your workforce, such as mouse jigglers. Investigate and document suspicious activity with detailed insights into user trends and activity types, including extended-duration events and suspicious application usage.

Evaluate activity mimicking trends over time to determine if the activity is persistent or an isolated incident.  (Need help? Contact our Support team to help you install your dashboard.)

Best practices for responding to PFA alarms

When you receive a notification that suspicious activity has been detected:

1. Use automated responses. ActivTrak provides automatic response tools to help ensure any mimicked activity doesn't skew important productivity metrics:

• Automatic Passive State Switching: When false activity is detected, the user is automatically switched to a passive state, ensuring your productivity data isn't artificially inflated.
• Adjust your Active Time Settings. Set a custom maximum time threshold for single activity reporting with ActivTrak’s Active Time Settings. The Active Time Setting defaults to 60 minutes but can be configured to any number between 30 and 120 minutes. To adjust your account’s Active Time maximum time threshold, navigate to Settings > Account Configuration and scroll to “Active Time Settings”. Update the time in minutes and click “Save” to apply changes. 

2. Have a conversation with the user. Recurring Potential False Activity alarms combined with a trend of low Productive Active time and a larger-than-expected number of “gaps” throughout the day usually indicate activity is regularly being mimicked. If this is the case, a conversation with the user is warranted. If a user’s metrics are below your set expectation (or set goal), focus the conversation on what needs to happen to increase that time.

Overall, it’s important to remember: Once alarms have been triggered, managers must use ActivTrak’s available tools to understand the context of these alerts and identify employees who may be persistently engaging in activity simulation. This overview can serve as an initial signal for HR or management to engage with the employee and assess any underlying causes of disengagement that ultimately led to the use of these tools.  Activtrak provides several tools for managers to improve engagement such as Coach and Workload Balance. 

In addition, keep in mind that: 

• The goal of alerts is not to identify when mouse jigglers or other hardware are in use. Rather, it’s to reveal when potential activity mimicking is taking place so you can investigate further and respond appropriately.
• Some sophisticated hardware-based mouse jigglers may occasionally evade detection.
• As a privacy-first platform, ActivTrak does not log keystrokes or monitor peripheral connections. Instead, it relies on OS information to detect activities that aren’t typical of regular business use. 
• For more details on the scope of ActivTrak services, review our Master Subscription Agreement and Acceptable Use Policy.

Additional resources:

• ActivTrak Alarms Guide
• Contact Support