Fact Sheet 106A
Your Case Log


This guide will provide you with the necessary tips and tools to organize your identity theft case effectively using one of three different methods.

  • ID Theft Help App Case Log
  • Computer
  • Hardcopy Notebook or Ledger

Taking care of your identity theft case can become very complicated.  You will need to keep track of many details regarding different jurisdictions (law enforcement), and different fraudulent or unauthorized use of your identity.  It is crucial, both for you to remediate your case and if the case goes to court, to keep a detailed account of all the steps you have taken.

In order to become an effective, strong advocate for your case and repair your identity, it is vital to impose a form of organization for your case from the first day. 

  • You need to keep a detailed case log.  This will include notes regarding whom you have contacted and when.  What documents you have received and which ones you are still waiting for, any costs you have incurred, and all time spent working on your case. The information that you want to capture includes:
    • Dated log
    • Confirmation of discussions and agreements
    • Record of items sent and received
    • Summary of your case to date


The ITRC has designed an electronic case log feature into our ID Theft Help app. It is important to remember not to include any sensitive information in the case log feature.

When you download the ID Theft Help app, you can use the Case Log feature to keep track of all the details regarding who you have contacted, when, and what action you have taken. 

Download the app on iTunes for Apple devices and Google Play for other devices and begin using the case log feature right awayAll of this information is housed on your device, not on a server, so it’s also important to remember to periodically print out a copy and keep for your records.  Also remember to print out a copy if you change phones.

Remember, this case log feature is not a substitute for a remediation plan.  Please call and speak with an ITRC advisor for your personalized plan.  Once you have received the plan, you can use the case log to keep track of where you are in the process.  The case log will feature a wide number of resources and phone numbers to help you in your efforts to track your actions.   

Below is an example of an entry you would make if you were a victim of financial identity theft and someone accessed your EXISTING account:

Using the search button, you can search for the name of the bank with the affected account.  For instance, if you bank at ABC Bank, you can do a search.  If it’s in our listing it will automatically pull up the contact information.  If you cannot find your bank in our listing, you can create a custom entry by using the custom feature.





If you prefer a non-electronic form of logging your case notes, your log is best kept in a bound booklet or ledger-type book.

  • Dated log: A bound booklet, like a ledger book where pages cannot be easily removed, carries a great deal of weight in a court case.  Start with the first contact, letter or call as a victim of identity theft and continue from there. Don’t use post-its or scraps of paper.  They will get lost.  If necessary tape them into your dated log.
  • Journaling: Keep track of each person you spoke with, their title, employee number, phone and fax number, email address and the procedure you need to use to reach them easily (i.e., Punch 2, then *, then 41).  Include what they said, any follow-up needed from that call and the date that follow-up should occur. 
  • Confirm agreements and discussions: Whenever possible ask for written confirmation of a discussion.  If refused, mail a “Confirmation of Discussion” to that person stating that if the information as you listed it is incorrect, they should contact you.  When they don’t, what you have could be considered a confirmation of the call.  Mail this by return receipt requested mail so you have a paper trail.  Fax or email is acceptable only if you get a written response of receipt.
  • Summary of case to date: Write a 1/2 page summary of your case every month or so.  This will help you to focus on the primary points of your case, answer questions effectively and clearly explain what has transpired.  See ITRC Fact Sheet #112 for a guide.

From one victim:  I faxed a summary to each DA involved in my case.  I went through four of them.  That is not unusual.  I felt this would help them to understand what I felt were the pertinent points of my case.  My summary also became the basis of my victim statements.

  • Log items received and sent: Keep a log of what you receive by mail, who sent it, and what steps you took that day with that piece of mail or the phone call.
  • Telephone records: To find numbers quickly you may want to start a separate telephone and address book. However, also include this information in the official case log.  Some victims like to use the last few pages of the log as a directory, working backwards as it grows. 


You can use the same process as the handwritten process but on your computer.  Remember if you are entering this information into a spreadsheet, be sure not to include sensitive information such as your Social Security number or actual account numbers.  It is important to ensure that you have a clean PC and that you are staying up to date on security patches, and virus scans. Make sure you have updated security systems in place if you use a computer. 


As victims of identity theft, we are often left on our own, without a guide through the maze of reestablishing our good credit and name.  The Identity Theft Resource Center is here to help.  Please contact us with your questions.


ITRC Fact Sheet 301
Enhancing Law Enforcement and Identity Theft Victim Communications:  A Tool for Law Enforcement Officers Working with Identity Theft Cases

This ITRC Fact Sheet includes:

  • Facts About Victims of Identity Theft
  • Developing Victim Guide Sheets
  • The Initial Meeting
  • The Victim as a "Limited Partner"
  • Additional Resource Resources

Identity theft is a dual crime. It is fraud against the financial institution and the individual whose personal information has been abused. While the victim may eventually be made whole financially, it will take a tremendous amount of effort on their part, and there will still be residual effects. Just as with victims of violent crimes, physical wounds will heal, however scars remain. Victims of financial crimes experience a similar process. Both their trust and their financial stability have been violated. It is important for law enforcement to recognize that victims of identity theft (and financial crimes in general) are still crime victims. Communicating this fact compassionately and effectively is critical.

This fact sheet contains techniques that will help you to more effectively communicate with victims and build reasonable expectations. By turning victims into assets instead of liabilities, you actually save time and energy during case resolution.

The most frequent issue that victims report to the ITRC pertaining to law enforcement is an inability to obtain that most crucial document - a police report. Many jurisdictions are unaware of the laws in place that mandate this action. The ITRC has an interactive map that outlines the laws state by state. Have a question about the status of your jurisdiction? Click on the map for the answer. This first step, the police report, is critical for mitigation of identity theft cases.

When law enforcement is unwilling or unable to provide victims with a police report, the victim often feels that either the officer does not consider identity theft an important issue, or that the officer does not consider the identity theft victim to be a crime victim, perhaps because in some cases there is no long term financial loss.

The ITRC has worked with many peace officers and we know that the majority of those who work in law enforcement do care. During our communication with victims we reiterate this fact and attempt to set reasonable expectations for law enforcement support, as well help to define the role of law enforcement in the victims mind.

Some Facts About Victims of Identity Theft

• Victims of identity theft, as with any crime, are scared, confused, and have had their trust violated.
• Many victims report that the undermining of their financial health and good name has either permanently impacted their lives or has affected them for years. It is difficult for them to foresee a conclusion to their case when they continue to receive information regarding additional uses of their identifying information after the initial issue appears to have been resolved.
• Most of these people have never been a prior victim of crime, and thus have a limited understanding of the criminal justice system and the investigative process. They can become overly excited, demanding and anxious. They want everything done yesterday.
• Victims can uncover evidence that will be helpful in the case. It may not always be what you need, but it can help. Allowing the victim to become a resource in the investigation could produce positive results.
• Victims should be encouraged to become their own advocates. They need to continue to be a part of the process and feel like they are doing something to regain control. The ITRC helps to communicate self-advocacy to the victim while building reasonable expectations regarding the outcome of their case.

Prior to the Initial Meeting

ITRC recommends that each law enforcement agency develop and send out an Identity Theft Victim Guide, a tri-fold or letter. Many agencies have a communication piece for financial crimes in general and simply include Identity Theft as a facet of this piece.

This document should outline the initial steps for victims, and how to prepare for the investigator's phone call or visit. This will give victims a chance to get started immediately, fulfilling the desire to "get started now.” The worksheet will help them separate the relevant from the irrelevant and reduce your time spent gathering information during the initial process. This document should be made available to the victim either via mail, fax or website, on the same day the issue is reported.

You may adapt the ITRC Fact Sheet 112 for this purpose. Please contact ITRC if you decide to adapt these guides for your agency's use either via email at This email address is being protected from spambots. You need JavaScript enabled to view it. or via our call center number, 888-400-5530.

Many agencies have developed victim-friendly communication pieces that can be used as a template. Please contact the ITRC for a referrals to other law enforcement entities that have engaged the ITRC in this endeavor and we can provide names and contact information.

After the opening greeting, your victim guide should provide:

• The first few steps a victim should take (examples):

Call the 3 credit reporting agencies, obtain copies of the credit reports, place a fraud alert, identify open fraud accounts and inquiries from companies that have received fraudulent applications.

Notify affected credit card companies and banks, etc. and obtain account numbers and other pertinent information if possible. Try to get copies of all documents and conversations associated with the account.

Identify fraudulent home addresses and other information on your credit report.

• Phone numbers and web sites of resources including the credit reporting agencies.
• A list of some of the initial steps that occur in your department after the complaint is made. This helps victims to understand something is being done. For instance: "At the end of each shift, all reports are read by triage officers and forwarded to the proper investigating department. It typically takes about seven days before you receive a call from us. If you have not heard from us after that time period, please call __________."
• Recommendations for preparation of initial meeting. Again, the ITRC has fact sheets written for both victims and the people who serve them. Consider adapting ITRC Fact Sheets 106, 110 and 112 to suit the needs of your organization
• At a minimum, provide victims with the recommendation to keep a journal that includes date of discovery of the fraud, all of their contacts thus far in trying to remediate their case, details regarding potential suspects, and a list of all affected accounts. For example:
Date of Discovery: On XXX date, I received a collection phone call from a creditor for an account that I was not aware of and that I did not open or use. For example:  There are three credit cards that I have never opened on the Experian report.

American Express account 1234567890123465 $___ total charges to date

Visa account 2345678901234567 $___ total charges to date

Discover account 4567890123456789. $___ total charges to date.

Facts about the imposter

I believe that my identity was stolen from an application for a cell phone because I used my middle initial which I have not used on any other applications in the last 2 years. The thefts started within 2 weeks of my filling out the application and all used that same middle initial.

My sister and I look alike and she has a checkered past. I believe she may have something to do with this, but I have not confronted her.

The Initial Meeting

Realize that your agenda and that of your victim may differ. Consider providing a written agenda for the initial meeting to quickly set guidelines and expectations. Also set a time limit for the meeting based upon the amount of time you will need to gather the pertinent info. As previously stated, victims often are wounded and as such will feel the need to talk at length about the episode. Let them know ahead of time how much time you have devoted to their case, and inform them up front. Let them know it's not because you don't care, but because you also have many other cases that must be investigated, and you must treat all victims with equal respect and importance.

At the conclusion of the intake interview/meeting, inform the victim candidly regarding the potential outcome of the case. Financial crimes investigations take a great deal of time and effort. They do not move quickly. Ensure the victim is informed of this fact. Additionally, even with exceptional investigative efforts the fact is most of these cases will not result in an arrest or prosecution. The victim needs to understand this as well. If you do not feel the chances are good that the case will end in an arrest, inform the victim so they can begin resetting their priorities (clearing his/her name and credit history). The truth may be difficult for them at first, but better to set the truthful and realistic expectations immediately, rather than have to disappoint them later. Have this difficult conversation at the conclusion of the initial meeting.

Provide the victims with additional resources such as your local Victim/Witness assistance program in your jurisdiction and/or the Identity Theft Resource Center.

Lastly, let the victim know when they can obtain a hard copy of the police report. This report is critical for them to begin the process of remediating their case. Many of the protections under federal and state law do not become affective until the victim has the police report in hand.

The Victim as a “Limited Partner”

This is your case. Clearly, you must be in charge of the investigation. However, almost every victim has an overwhelming need to be actively involved. It is their reputation. It is their credit at risk.

Teach your victims how to work with you effectively. Brief them on what they may and may not do. Set some rules for them to follow and task them with assignments that could provide useful information to you. For example, FCRA's Section 609e allows them to request a copy of transaction records and the application for fraudulent accounts set up in a victim's name and Social Security Number. They can also designate a copy be sent to you, potentially saving you time and effort.

Some Final Thoughts

There is no easy answer to identity theft. The law enforcement community and advocacy organizations such as the ITRC must work in tandem in order to achieve the most effective results. If you would like to be a part of this dialogue please contact the ITRC directly as we have many resources within the law enforcement community that have developed robust identity theft programs and processes and are willing to share this information with fellow officers.


• www.idtheftcenter.org
• www.ftc.gov
• www.irs.gov (for victims of government ID theft)

This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to This email address is being protected from spambots. You need JavaScript enabled to view it.We thank Sgt. Joseph Dulla (Los Angeles Sheriff's Dept.), Det. Paul Libassi (San Diego County District Attorney's Office) and Lt. Brian Blagg (San Diego Police Department) for their insights, advice and as a valued source of information.


ITRC Fact Sheet 148
Fraud Affecting the Non-prime Population

This guide includes:

The Non-prime Population:

Traditionally, the non-prime (or sub-prime) population has been described as a group of people who are unable to obtain credit through traditional channels because they are considered the greatest credit risk.

Now, with the economic downturn, it is harder for even more consumers to obtain traditional lines of credit, loan approvals, or even low APRs due to changes in lending practices. Adding to this hardship, consumers coping with salary reductions or the loss of employment are often unable to make their monthly payments, eventually causing their consumer credit scores to drop. As a result, many Americans find themselves struggling with the credit granting criteria of prime lenders (lenders who offer traditional credit). Once considered “prime consumers,” this new and growing population now falls under the category of “non-prime consumers.”

As it becomes harder for consumers to obtain traditional lines of credit, more consumers are using alternatives. According to the study Changing Patterns and Behaviors of Non-Prime Payday Loan Consumers by Clarity Services, Inc., “ … between February 2010 and August 2011, there was a substantial shift in the types of consumers who request payday loans, with the more stable, higher earner segment increasing by over 500 percent.” Payday loan lenders and other companies issuing non-traditional credit are major players in granting short-term loans to this growing population of consumers.

These lenders are often the only institutions offering non-prime consumers access to a reliable cash-flow source. According to Clarity Services, Inc., “the total annual impact to US delinquencies would be $2 billion if payday lending was not available to consumers who take out short-term alternative loans for the purpose of paying back other past due commitments.”

Applying for and Taking Out a Payday Loan:

Consumers are able to apply for payday loans in person at a brick and mortar (storefront) institution or online. When you apply for a payday loan online, you may be applying with one lender or a whole network of lenders. Many of the web sites that advertise loans are third parties that take applications for loans and offer them to lenders in their network. Because of this process, one application can be seen and approved by multiple lenders. It is up to you to decide which loans to take, if any, and to be aware of the fees and due dates of payments.

If you have taken out a payday loan, it is important to note that credit reports from the three major credit bureaus (i.e. Experian, TransUnion, and Equifax) typically do not include information on the payday loan dollar amount borrowed by the consumer or the amount owed unless the lender has referred the account to collections.

Identity Theft and Payday Loans:

Since payday loans typically do not appear on credit reports from the three major credit bureaus unless an account has been sent to collections, a victim will often not know about a fraudulent payday loan until he or she has been contacted by a lender or collections agency. An identity theft victim with payday loans in his or her name may have to utilize several resources in order to understand the extent to which their identity has been compromised. First, if you have been contacted by a collections agency, please refer to ITRC Factsheet FS 116: Collections Agency and Identity Theft and follow the steps provided.

If you have been contacted by a lender or you are contacting a lender about an overdue payday loan that you did not authorize, ask to speak to a representative who can handle fraudulent claims. When speaking to the representative, state that the payday loan in question is fraudulent and you are a victim of identity theft. Then inquire after any other loans in your name. Once you have obtained the information you requested, ask about the clearance process, which may vary according to lender. Follow all the steps the lender gives you to ensure proper removal of all fraudulent activities. Also inquire about any alternative credit bureaus (i.e. not one of the three major bureaus – Experian, Equifax, TransUnion) that offer credit reports that may contain any loan inquiries and/or funded loans from the lender. Request a credit report from any of the bureaus that the lender names. If the credit report(s) show fraudulent activity, refer to ITRC Factsheet FS 100: Financial Identity Theft: The Beginning Steps and ITRC Factsheet FS 100A: More Complex Cases for mitigation steps.

Payday Loan Scams:

According to the Internet Crime Complaint Center (IC3.gov), payday loan scammers made a reported amount of more than $8 million in 2011. However, since not all victims report their losses, it is likely that the amount is even higher. Payday loan scams usually follow the same basic formula. The scammers will contact consumers at all times of day and night. In addition, the fraudsters often claim to be attorneys, part of a government agency, or employees of legitimate-sounding banks or companies. The scammers then state the consumer owes money towards a loan and needs to repay it immediately.

While these victims may have applied for payday loans or may have received loans in the past, they owe no money to the callers. Somehow, the fraudsters have gotten ahold of the consumers’ account and personal information. The fraudsters typically know information such as SSN, address, names of relatives or references, or perhaps the name of a lender that the consumer would recognize. The fact that the scammers have this information makes the scam victim believe that the caller is part of a legitimate company which received a loan application. Also, these fraudsters will intimidate people in a number of ways: using abusive language; threatening lawsuits or jail time; and calling or threatening to call relatives, coworkers, or employers.

The Fair Debt Collections Practices Act details consumers’ rights and states what debt collectors are not allowed to do. Refer to ITRC Fact Sheet FS 116A: Your Debt Collection Rights for information regarding the act. If the person calling refuses to provide you with written notice of a collection (also known as validation notice), or violates the FDCPA in any other way, hang up and do not give any information about yourself because this is likely a scam.

For more information about protecting yourself, please refer to:

ITRC Factsheet FS 123: Scam Assistance

ITRC Factsheet FS 124: Fraud Alerts and Credit Freezes.

You can also report a scam call by contacting the Federal Trade Commission (FTC) and your state Attorney General.


This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to This email address is being protected from spambots. You need JavaScript enabled to view it..

ITRC Fact Sheet 147
Risks of Mobile Applications

This fact sheet offers recommendations on how to make your experience with mobile applications safe and enjoyable. The following subjects will be addressed:

Many tasks you would do on a computer can now be done, while on the go, with a smartphone. However, with all of that accessibility and convenience comes a price. That price may be diminished safety and privacy. Mobile Applications help users do everything from ordering a pizza to depositing checks. The potential danger of this convenience arises when users are not aware of the risks associated with these applications and do check to ensure the applications they use do not share any information collected from the user.

Risks associated with mobile applications

There are many risks associated with the usage of mobile applications. Some of the more prominent ones are:

  • Malware: Malware is software that is intended to do a malicious act. It could damage or disable computers and computer systems, but is often used nowadays to retrieve information from an infected system. A smartphone is much like a mini-computer, so it makes sense that the risk of malware to computers is present on smartphones as well. Malware can take many forms including trojans, viruses, worms and others that we define at the end of this article. This software may install things such as key logging software, spyware, botnets and other nasty things. These programs are often used to obtain personal information which can then be used for the financial gain of the criminals who have installed them, sometimes with a significant cost to the person affected.
  • Metadata: Metadata is data that describes a data file. For instance, when a digital picture is taken with a digital camera or smartphone, there is information contained in the picture file that recreates the image for others to view. However, in the same image file there is also information about that image, such as where the picture was taken (GPS location), when it was taken and information on the device which took it. Criminals can use this information to track consumers.
  • Application (App) Scams: There seems to be an application that will do just about any task these days. However, some of these apps are developed by criminals who are hoping users will download and install the application, which will then allow them access to the smartphone’s system. This could include user information, such as a credit card number or Social Security number, or account numbers and passwords stored on the smartphone.
  • Insecure Applications (Apps): Recent studies show that even legitimate applications can allow sensitive information to be exposed to criminals looking for such information. Some of these applications include banking institutions and major retailer apps.

Protecting Yourself from the Risks of Mobile Applications

While it may seem like a scary world out there for those who want the convenience of mobile apps, there are ways to protect yourself. Some things you can do to protect yourself from the risks of mobile apps are:

  • Install an anti-virus software program that protects against spyware and malware as well. Make sure this software is reputable and is kept current through frequent updates.
  • Enroll in a backup program which also provides the capability for your phone to be remotely wiped. This will help protect the information on your phone should it become infected by malware.
  • Research apps to determine if they are safe before downloading them. Look at who developed the app. For most large companies the company should be the developer themselves. If the app is new, or not well known, do a quick Google search to see if there are any reviews of the app. A Google search for “(Insert App Name) problems” may be rewarding.
  • Review what information you are allowing the application access to when you accept the terms and permissions. Make sure that the amount of information you are allowing the app to have access to is only the information it will need to perform its intended function. If it requires access to lots of personal information, you will have to weigh the need for the app versus the exposure of that information to others.
  • Turn geolocation and GPS off when it is not immediately needed. This can easily be done through the privacy settings on your smartphone. Droids usually have an icon to turn on or off the GPS function. This will keep your location from being broadcasted unintentionally through picture uploads, tweets, etc.
  • Do not root or jailbreak your phone. This makes it much more susceptible to malware. For more information on jailbreaking and rooting see ITRC Fact Sheet 145 on Smartphone Threats.

Signs that your Smartphone may have been Compromised

One of the problems when a device is infected with malware (or has otherwise been compromised) is it will be difficult for the user to tell. Unless an anti-virus has been installed and alerts users to the presence of malware, there is no notification that a smartphone has been compromised. However, there are a few indications that may mean that malware is present:

  • Decreased Performance: Just as your PC will slow down when infected with malware, a smartphone will do the same. Problems with slow operation and decreased functionability can mean that malware is present on a phone’s operation system.
  • Random action: If it seems as though your phone has a mind of its own, it may mean it is being controlled by an outsider. If applications open on their own, the phone powers on or off by itself or items are downloaded without permission, it may mean that software allowing outside access has been installed.
  • In known emails or phone calls: If a smartphone’s call log shows calls that the you never made or emails have been sent to addresses you don’t recognize, this could be a sign of a smartphone that is infected and compromised.

Steps to Take if You Become a Victim

Protection is key to remaining safe from malware on smartphone’s.

  • If you have an anti-virus installed on the phone, the detection and removal of any malware should be simple and the anti-virus software will perform the task for you.
  • If you are unable to remove the malware, then a backup program with remote wiping capability will be incredibly helpful. All information should be wiped from the phone and the backup information can be downloaded to a new phone.
  • If you believe that sensitive personal information has been compromised, then you should take appropriate action to protect yourself from identity theft.


  • Key Logging: The use of a computer program to record every keystroke made by a computer or smartphone user. The “key-logger” will then send the information to an outside server. This is often used in order to gain fraudulent access to passwords and other confidential information.
  • Spyware: Software that self-installs on a computer, enabling information to be gathered covertly about a person's Internet use, passwords, etc.
  • Botnets: A network of private computers infected with malicious software and controlled as a group without the owners' knowledge, e.g., to send spam.
  • Trojan: A Trojan horse, or Trojan, is malware that appears to perform a desirable function for the user prior to run or install but instead facilitates unauthorized access of the user's computer system.
  • Virus: A Virus is a software program capable of reproducing itself and usually capable of causing great harm to files or other programs on the same computer; they often have methods of infecting other computers.
  • Worms: A computer worm is a self-replicating malware computer program.
  • Geolocation: Geolocation is the identification of the real-world geographic location of an object, such as a cell phone or an Internet-connected computer terminal. For example, a picture taken with a smartphone may record the location within the picture file. When the file is posted on a social network site, any viewer may be able to determine the location from the data saved on the picture file. This could tell someone exactly where your home is located.


This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to This email address is being protected from spambots. You need JavaScript enabled to view it..


Watch our Hands-On Privacy Videos

Hands-On Privacy with Your Mobile Apps 

Hands-On Privacy on Your Mobile Device

Hands-On Privacy on Your Social Media 

ITRC Fact Sheet 146
Smartphone Privacy and Security

This guide covers:

The increasing use of smartphones for daily activities, such as emailing, banking, web browsing, shopping, bill tracking, social networking, file storage, and entertainment gives your mobile device the ability to know everything about you.  Not only do you know your smartphone, but your smartphone knows you.  Your smartphone’s knowledge, if not protected, is a potential risk to your security and privacy.  The ultimate question to ask: Is my privacy and security at risk?

Mobile malware is a rising threat to privacy and security.  What is mobile malware?

Mobile malware is a program specially created to infect your mobile phone or device.  Once installed on your device, it may disrupt the phone’s system, in order to gather information stored in the device.  It may also gain access to the device’s operating system, and take over the phone.

Mobile malware may present itself through fake mobile applications, web-browsing, and SMS/Text messages.

  • App-based malware attacks can target a user’s financial information.  This might include bank account numbers, passwords, and PINs.  The access of such information may result in the loss of money and/or account take-over.
  • Web-based Smartphone attacks can be a result of clicking on an unsafe link.  This may potentially give rise to “Phishing” scams or downloading infected files.
  • SMS/Text message-based attacks can be used to spread malware through unsolicited SMS/texts that request the user to reply or click on a link.  Unbeknownst to the user, malware may be installed on the device, leading to unauthorized access to the device’s information.

Securing your Smartphone device:

  • Passcode:  A passcode is a simple step you can take to protect your smartphone.  If it is stolen, with all of your personal information, this simple step may be the key to protecting your information from unauthorized users. 
  • Antivirus software:  Use mobile security antivirus software.   There are Smartphone apps designed to monitor and protect your device against malware and spyware.
  • Software updates:  Updating your smartphone’s operating software is another step towards securing your device. Software updates are designed to fix problems in the device’s operating program, which may include fixing security vulnerabilities or other bugs that may diminish your smartphone’s performance. Therefore, stay up-to-date on any software updates and make sure to install the latest version.

Important Note:  Do not allow your device to remember passwords. If your device is lost or stolen, the information is now compromised.

Android or iPhone: Which one do you have?

  • Regardless of whether you use and Android or an iPhone, your privacy and security may be at risk.  Understanding the operating system of your smartphone will require work on your part.  This knowledge will help you understand the capabilities of your device and help you understand potential threats to privacy and security.
  • Both platforms have their own App Stores and both employ different security measures to monitor and vet the apps that are allowed to be on the Android Market or the Apple App Store:
  • Android’s Google Market runs an open market. As the smartphone industry grows, it attracts more malware developers to organize attacks and put smartphone privacy and security at risk. The Android Market has been criticized by the industry several times for not vetting its mobile applications before they are added to the Android Market. What does this mean for you Android phone users? You will need to exercise caution when downloading apps to your device.
  • If you are an iPhone user, Apple reviews applications before they are added to the App Store. According to Computerworld, “When Apple reviews an app, it tries to verify several things, including these: Does the app do what it says it does? Does it function reliably? And does it respect the limitations that Apple has put on developers?” However, despite tighter security measures, it does not exempt the iPhone user from privacy and security threats. 

Application Permissions/Access:

Ever wonder if the apps that you download put you at risk?  If not, you probably should. Many apps are designed to capture a wide range of information. Did you know that apps can:

  • Read phone state and identity?
  • Track your location?
  • Read owner data?
  • Read contact data?
  • Record audio – your calls?
  • Take pictures?
  • Modify or delete SD card content?
  • Edit SMS/text or MMS messages?
  • Write sync settings?
  • Send SMS messages?
  • Write contact data?
  • Fully access the internet?

The best security practices when downloading apps are exercising caution and reviewing the app’s ratings, regardless of whether the app is free or paid.

You should carefully examine and pay attention to the permissions the app is requesting to access:

  • Android Market apps require the user to either grant or deny access – if you deny access you will not be able to download and install the app.
  • iPhone apps will not disclose what the application has permission to access. When downloading an app whether free or paid, Apple requires the recognition of consent by having the user sign in using their Apple account.  The primary reason behind Apple’s non-disclosure of the information, according to Computerworld, is because “Apple tries to prevent developers from having full-scale access to all of the data and hardware” on a device running on Apple’s operating system. However, apps still have access to certain system components.

Because apps have access to a lot of your personal information and data on your Smartphone, familiarize yourself with what the app really needs in order to run.  If you feel it requires more than it really should, reconsider installing it.

Only download applications you trust.  Android users are allowed to download apps from third-parties, whereas, iPhone users are only allowed to download apps from the Apple Store; unless, of course the iPhone has been “jail-broken.”  Jail-broken iPhones can download applications from the “Cydia App Store” (apps that have not been approved by Apple).

Location (GPS) and WiFi:

  • Many applications request permission to access location.  Consider turning off the location services (GPS) on your phone to protect your location privacy, unless it is necessary to perform a desired function.  Keep in mind that you have the ability to enable and disable the location services on your phone.
  • Have you ever taken photographs with your smartphone and posted them online?  What’s the worst that can happen? As careful as you may be, if your GPS is enabled, your personal information may be exposed through a process called “geotagging.”
    • According to PCmag.com, “Geotagging adds the current geographic location of the camera or smartphone to an image or message, or adds the static geographic location of a street address.”
    • This information most often includes latitude and longitude coordinates which are derives from a global positioning system (GPS).
    • While it sounds complicated, it really isn’t.  It simply means the marking of a video, photo, or other media with an embedded location of where it was taken.
    • Smartphones featuring GPS have made this “tagging” possible.
    •  “Geotagging” has been considered an infringement on public privacy and problems can arise if the information is given out unknowingly and/ or pulled by the wrong people. So, the photograph you took in front of your computer, at your doorstep, etc. has been recorded and may have possibly given your location.
  • To protect yourself, you can:
    • Turn the geotagging feature off.  
    • Download disabling software (it will search for geotagging information and delete it before sending).
    • Be aware and educate yourself.  Understand the information you are sharing.
    • Consider what you post on the Internet.  You never know who has access to it.
  • Protect your privacy and security by exercising caution while doing financial transactions or checking banking information while connected to public wireless networks (WiFi). Credit card and personal information transmitted through public WiFi may be up for grabs by identity thieves.
  • If you are a Smartphone user, it is highly recommended to use your Provider’s 3G or 4G Network to conduct any financial business.  After all, you are paying for the service.


This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to This email address is being protected from spambots. You need JavaScript enabled to view it..

Watch our Hands-On Privacy Videos

Hands-On Privacy with Your Mobile Apps 

Hands-On Privacy on Your Mobile Device

Hands-On Privacy on Your Social Media 

ITRC Fact Sheet 145
Smartphone Threats

The increasing use of smartphones for daily activities is a growing concern when it comes to personal information that is stored on your device. This information may be in danger of accidental exposure.

Phone Application Access: Before downloading any app, consider reviewing the information the phone app is asking permission to access. Apps for smartphones running on the Android operating system will disclose the information the application is requesting access to in order to run. This access may allow the app to control, change or modify information on your phone.

The information will vary depending on the app’s requirements. For example, the smartphone app may request permission to access the following:

  • Network Communication which will allow for full access to the Internet.
  • System Tools to prevent the phone from sleeping and allow the app to retrieve running applications.
  • Phone Calls may reveal users phone information, state and identity.
  • Your personal information which will read owner data and contact data.
  • Storage which could allow for SD card content to be modified or deleted.
  • Hardware controls which could enable the app to record audio and/or take pictures.

For Android phones, the user has to either allow or deny access to this information. If the user has granted the application permission to the information requested by the app, the user will be able to download the app. However, if the access is denied, the user will not be able to download the app.

For iPhone users, Apple does not require app developers to disclose the information an app will request permission to access. BlackBerry allows the user to modify the apps’ permission levels. For more information refer to ITRC Fact sheet FS 146: Smartphone Privacy and Security.

Updates: App updates and software updates are important to keeping your device and apps up-to-date. These updates are important because they provide solutions to previous app problems, such as bugs, in the device’s operating system. It is important to download the latest updates to protect your device from these problems that may give rise to others.

Email Accounts: Smartphones allow the user to have access to one or more email accounts. These accounts have a continued log-in access, unless disabled. The problem is the user may use email communication for many types of activities. This may include bank account transactions, transfer confirmations, payment confirmations, sending out resumes, retrieving forgotten passwords, and any other form of communication that displays sensitive personal information.

Wireless Networks: For information on wireless networks refer to ITRC Fact sheet FS 144: Smartphone Safety and ITRC Fact sheet FS 146: Smartphone Privacy and Security.

Password protected or not?

Every smartphone can be password protected or locked through a pattern code. Whether it is a feature already present in the phone’s settings or available through downloading an app, a smartphone can be protected. If your smartphone is lost or stolen, it could make a difference in allowing a hacker to gain access to your phone’s information.

For example: The iPhone offers the ‘Passcode Lock’ feature under Settings.


Smartphone Wiping: If available, consider turning on the ‘Data Protection’ feature on your phone. If your smartphone device does not offer a similar feature, consider enrolling in a Data Wiping service. Such services may be available through your cellphone provider. For more information on Wiping Services refer to ITRC Fact Sheet FS 144: Smartphone Safety.

For example: The iPhone offers the “Data Protection” feature under Settings. After 10 failed passcode attempts, all the data on the phone will be erased.

iphone passcode eraseWhat is Jail-breaking / Rooting? Jail-breaking is breaking into the phone’s operating system to allow the phone to run apps that are not approved for that specific phone. For instance, the smartphone user wants an app that is not available or authorized for use with Apple or Android devices. This process is called “rooting” on the Android platform.

Apple is strict with its applications. It takes several steps to ensure the vetting of applications before they are allowed on the App Store. However, jail-breaking the iPhone will allow users to download apps from the Cydia App Store and to change various features on their phone. The problem with this is that Cydia Apps are not authorized for use by Apple.

Both jail-breaking and rooting are suspected of putting your device at risk for mobile malware, which can result in programs or software being installed to your phone without your knowledge. Malware software can monitor and steal the data stored in your device. Another threat is the fact that jail-breaking or rooting your device requires the user to download a program to a PC or MAC in order to complete the process. This process may put both the smartphone and computer at risk of a malware attack. Many users have reported that certain JailBreakMe programs have infected their devices.

Please note that Apple does not support jail-breaking. In fact, it may be the case that if the iPhone is jail-broken, or an Android device is rooted, the phone’s warranty may be voided.

Applications: A major concern about apps is the type of personal information that apps can access - the information stored in your device. Every app is privy to certain information on a device; however, such information varies widely depending on the type of app that the user downloads.

For example:

  • Banking applications hold user names and passwords.
  • Bill Tracking Applications hold account numbers, company names, dates, etc.
  • Fake Text / Fake Telephone Call Applications allow text messages to be sent to recipient. Recipient will receive the text message or phone call under a different name thinking it is someone else. Information may be shared and the user may be sharing information with the wrong individual.
  • Credit Card Swiping Applications provide ability to obtain credit card information for payments. However, what happens if safety precautions are not taken to protect the information?
  • GPS (Global Positioning System) Applications store information under favorites for Navigation Apps. Also, if GPS is enabled, geotagging is enabled as well.

Accounts linked to Credit Cards: Smartphones can link financial accounts and shopping accounts, like PayPal and Ebay, to credit card or debit card numbers.

For example:

  • Android Google Market Apps require a PayPal account for purchase.
  • Apple’s App Store requires Apple account and password to grant permission to download
  • Banking Apps require user ID, password, and sometimes even PIN for access.
  • Shopping Apps may memorize account numbers for facilitation of payment.

For safety and privacy, consider inputting information for each transaction as opposed to having the phone memorize the accounts and passwords.

Direct Carrier Billing: Every wireless carrier offers a form of direct carrier billing. Verizon Wireless lets customers buy ringtones, ringback tones, and songs and allows them to pay for the transactions on their monthly phone bill. T-Mobile recently announced the expansion of such direct carrier services to browser-based purchases for any of T-Mobile’s smartphones. This means if you use direct carrier billing and purchase something online, you will be billed for that item in your monthly cell phone bill. The convenience about direct carrier billing is not providing your credit card information when making purchases.


This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to This email address is being protected from spambots. You need JavaScript enabled to view it..


Watch our Hands-On Privacy Videos

Hands-On Privacy with Your Mobile Apps 

Hands-On Privacy on Your Mobile Device

Hands-On Privacy on Your Social Media 

ITRC Fact Sheet 144
Smartphone Safety

This guide includes:

What is a smartphone?

A smartphone is a mobile phone with enhanced capabilities.   Many of these new functions are similar to those found on a PC.  With the increased abilities of the smartphone come built-in risks for exposure of personal information. This personal information, carried on and transmitted through the device, is highly desired for use by identity thieves. There are steps smartphone users can take in order to reduce the risks associated with using these devices.

Risks which occur when using a smartphone:

  • Phones are easily lost or stolen.  Think about how many times you have lost your cell phone.
  • These mobile devices are associated with and linked to a particular user for billing and account purposes.  This association is taken a step further when GPS is enabled on a device.
  • Increased mobility means increased risk of exposure.   Moving in and out of Wi-Fi service areas means moving in and out of firewalls and secure hotspots.
  • Some applications used on smartphones are unsafe.   Some can actually enable “phishing” or other malicious attacks.

Best practices to protect yourself and your personal information:

  • Password-protect your phone.  This is the simplest step you can take to prevent your information from being accessed.  Make sure it is a strong password that is not similar to or associated with any other personal information.
  • Install Security Software.  There are a number of companies which offer anti-virus, malware and security software designed especially for smartphones.   Make sure to download security software updates.
  • Be aware of what you are doing on your phone.  The same precautions you would take while on your home computer apply to your smartphone.  Double-check URLs for accuracy, don’t open suspicious links, and make sure a site is secure (https) before giving any billing or personal information.
  • Do not “jail-break” or use a “jail-broken” phone.  A “jail-broken” phone is a phone that has gone through a process which opens its operating system to applications which would otherwise not be compatible with the operating system. However, once “jail-broken,” the phone is vulnerable to anything the user downloads.  Note: The application necessary to jail-break an iPhone may put both your phone and PC at risk.
  • When installing an app on any smartphone, take the time to read the “small print.”  Evaluate the information the app requires access to, and consider if this information is necessary for the app to run successfully. If you cannot see a reason for the app to have access to the information, you should reconsider installing the app.
  • Install a “phone finder” app.   These apps are designed to help you find your phone if it becomes lost or stolen.
  • Enroll in a backup / wiping program. You can enroll in a program that will backup the information on your smartphone to your home computer.  Many of these services are also able to remotely “wipe” your phone if it is lost or stolen so that no data remains on the device itself.   These services are available through your smartphone’s manufacturer or through your wireless provider. 
  • Limit your activities while using public Wi-Fi.   Try not to purchase things or access email while using a public Wi-Fi zone.   Public Wi-Fi hotspots are targeted by hackers since they can give the hacker direct access to your mobile device.  Using your 3G or 4G network provider connection is much more secure than using a public Wi-Fi connection.
  • Check URLs before making a purchase using your smartphone.  Any page that requires credit card information should start with https://. This means it is a secured site.

If your smartphone is lost or stolen:

If you have enrolled in a backup / wiping program:

  • Contact the administrator of your program and have them “wipe” your phone.
  • Call your service provider and have them cancel your service and report your phone missing.

If you have not enrolled in a backup / wiping program:

  • Treat the loss of your smartphone as you would the loss of a wallet or purse.   You can find more information on handling these situations from ITRC Fact Sheet FS 104: My Wallet Purse or PDA was Lost or Stolen.

Smartphone Terms Defined

1G vs. 2G vs. 3G vs. 4G: The G in these terms stands for generation.   Therefore 1G would be the first generation of application services.   This includes wide-area wireless voice telephone, mobile Internet access, video calls and mobile TV, all in a mobile environment.   Each generation expands its capabilities and speed of the network for smartphones of that generation. 4G is currently the benchmark.

Applications (Apps): computer software designed to help the user to perform singular or multiple related specific tasks.

MMS (Multimedia Messaging Service): A standard way to send (picture) messages that include multimedia content to and from mobile phones.

Personal Information: The types of information often stored on a smartphone include, but are not limited to: bank user names and passwords (Banking applications); credit card information (online shopping); utility account information (bill tracking applications); email accounts; GPS information; and social media contacts.

Personally Identifying Information: This is the sensitive information that identifies you as an individual, and which can be used for identity theft. PII is information such as your Social Security Number, or Driver’s License number. This information often finds its way onto a smartphone and may enable a thief to do serious damage to you.

SIM – Subscriber Identification Module:   A removable smart card that stores information such as user identity, location and phone number, contact lists and stored text messages.

SMS:   SMS stands for short message service. SMS is also often referred to as texting, sending text messages or text messaging. The service allows for short text messages to be sent from one cell phone to another cell phone or from the Web to another cell phone.

WiFi: Wi-Fi is a wireless standard quite different from the “3G” or “4G” standard used by the telecommunications companies to communicate with your phone/smartphone.  WiFi allows a person or a company to set up a local wireless station with a range of about 50 yards, to allow WiFi devices withing that range to connect, and by doing so enable a high speed connection to the Internet.  WiFi is used for computers, laptops, gaming consoles, smartphones, TV’s, Blueray players, and a host of other enabled devices, including most smartphones. Wi-Fi connects the guest device to the Internet when within range of a wireless network (WiFi hotspot).   WiFi hotspots can be private (protected by a password) or public (available to all local users).  The big advantage to the smartphone user is that many times a WiFi hotspot will provide faster connection speeds than using a 3G or 4G connection, and typically there are no data use charges for such a connection.  However, you should keep in mind that any WiFi hotspot, whether protected by a password or not, allows transmission of your data in a method which could be captured by another member of that secured network. 

Smartphone FAQs

What are the benefits of having a smartphone?
Benefits of a smartphone include its size and mobility.   These devices are quickly replacing desktop computers for browsing websites, downloading music, checking emails, social networking and even uploading files.

Can my smartphone get a virus like my computer?
Yes.   A smartphone runs applications just as a computer would and is, therefore, susceptible to viruses specifically targeting smartphones.   The best way to protect yourself from this is to immediately install an anti-virus program on your phone, and to be very cautious about the Apps you choose to install.

What should I do with my smartphone when I am no longer using it?
The information on a smartphone can be accessed even if the phone isn’t being used anymore.   When disposing of your smartphone, information needs to be wiped clean from the phones memory and the factory settings restored. If possible, the SIM card should be destroyed unless it is being transferred to another device.

Watch our Hands-On Privacy Videos

Hands-On Privacy with Your Mobile Apps 

Hands-On Privacy on Your Mobile Device

Hands-On Privacy on Your Social Media 


ITRC Sponsors and Supporters





Go to top


The TMI Weekly

Breaches here, identity theft there and invasions of privacy  everywhere... Should you be worried and, if so, how can you protect yourself? 
Sign up now to get the latest hot topics in identity theft, data breaches and privacy and helpful information on how to protect your information.