This contribution proposes a classifier designed to reduce the number of false positive detections. It is a self-tuning model, tested in the context of phishing link detection. In this prediction model diverse types of aggregation functions and time-series data periods are used. Aggregation functions are employed to integrate the prediction values of classification models applied in the email phishing problem. Dividing a dataset into subsets allows for incremental learning strategies. This makes it possible to gradually improve the model by using previously acquired knowledge when training on new data. The aim of the contribution is to discuss the problem of obtaining minimal value of FPR while simultaneously getting maximal value of TPR. We applied the proposed ensemble model and neural networks models which were adjusted to the incremental learning strategy (and as base models were applied typical examples of incremental learning models). The study analyzes the dataset provided by FreshMail company. The reason to consider this problem arose with the real-life problem of the Freshamil Company and the data provided by this Company. This dataset uniquely fulfills the criteria essential for our experiments. Unlike other phishing datasets, this data provides dates which is important for the incremental learning approach. The proposed approach of ensemble learning models, based on aggregation functions, is compared to the well-known neural network models which may be treated as state of the art models in recognizing phishing attacks. The main advantage of the proposed algorithm is achieving high numbers of true positives while simultaneously achieving relatively small number of false positives. According to the statistical tests, for some of the desired TPR levels, the proposed model obtained significantly better by a few percentage points results than neural network models. It mitigates the cost arising from the manual analysis of these cases by domain experts.