Fact Sheets

ITRC Fact Sheet 137

Financial Exploitation of the Elderly

The injuries suffered by an older person from physical abuse or neglect are tragic, but there is another form of abuse not as publicized called “financial exploitation.” Financial abuse or exploitation can rob a senior of self-esteem and trust as well as his or her means of subsistence. When a relative, friend or caretaker exploits an older person and manages to drain away savings, assets and good credit that have taken years to accumulate and establish, the result can be devastating.  From that point on, the elder’s life style is severely diminished. 

Criminals target older adults for financial exploitation for a variety of reasons.  Criminals find seniors susceptible to these crimes of deception because they believe the older population has higher cash reserves and are less likely to check their credit reports or financial account statements carefully.  This may be due to the fact that they are usually in a financially stable position and are not opening new lines of credit.  This gives the thief the opportunity to steal a senior’s identity or money with a reduced probability of detection.  Some other reasons seniors are targeted is because the thieves assume they are less aware of the crime of identity theft and various scam scenarios.

In addition, older adults living in residential facilities - or under the care of someone - are at greater risk because the caretakers have access to the senior’s personal records.  This creates a situation which allows unscrupulous individuals to exploit those in their care.

Some examples of financial exploitation include:

  • establishing credit using the victims personal information
  • cashing an elderly person’s check without permission
  • forging the victim’s signature
  • misusing or stealing a person’s money or possessions
  • deceiving a victim into signing a contract, will, Power of Attorney, or other document

Identity thieves can drain bank accounts, open new accounts, rack up huge credit card bills, obtain loans, apply for jobs, refinance the victim’s home, obtain medical care and even commit crimes with the victim’s identity.

Some of the most common ways that identity thieves obtain personal data:

  • Wallet or purse theft:  seniors are more likely to carry their Social Security cards or Medicare cards with them, making them prime targets
  • Dumpster diving:  thieves dig for personal information in the trash of homes and businesses.
  • Phone scams: thieves pose as insurance companies, charities, banks, governmental agencies or other businesses to gather personal information over the phone.
  • Personal theft:  personal information is stolen by an employee, nurse, relative, or friend.
  • Records theft:  medical records, social security records, and other forms of personal records are a golden ticket in the wrong hands.
  • Online fraud:  fake emails and websites with false fronts are set up to trick unsuspecting consumers to provide personal data. The emails and websites can look legitimate and may even look just like a real communication from a company with which you do business.  Thieves may also collect information and/or money via lottery scams.
  • Mail theft:  thieves intercept incoming and outgoing mail to obtain personal identifying information, collect checks and pre-approved credit card offers.

Although each case presents its own particular facts, exploitation tends to follow a predictable pattern.  The exploitation usually begins with the existence of a relative, “friend”, or caregiver in whom the elder has placed confidence or trust. The delegation of financial authority to the exploiter may be done openly or come about more subtly.

In general, there seems to be an overall reluctance to report financial exploitation.  Elderly victims may fail to report the crime either because of their own incapacity or because of the stigma they feel may be attached to their being identified as a victim.  An older person may also be reluctant to report a relative or caregiver because of the emotional attachment to that person.  Often times the senior may be scared that if they do report they have become a victim of identity theft or a scam, they may lose their independence, because family members or guardians may deem them incapable of handling their own affairs.  The senior is often embarrassed or feels responsible and blames themselves for falling victim to the thief. Identity thieves and scammers know this and will plan to take advantage of it as much as possible.

Because they do make such attractive targets, seniors should be vigilant about protecting their personal information.  This includes:

  • Guarding Social Security numbers, checks, credit cards, Medicare cards, and financial statements. Leave these items in a locked security box at home or safety box at the bank. Do not carry such personal items in your purse, wallet or car.  See ITRC Solution SN 22 – Medicare Cards and Social Security Numbers.
  • Using a locked mailbox for incoming and outgoing mail.  Don’t put mail in your mail box with the flag up. This is an open invitation to thieves. If possible, go to the post office to mail items.
  • Investing in a small cross-cut shredder and destroy unneeded personal documents, receipts, pre-approved credit offers, unused or old checks and any other item that includes personal information about you or your accounts.
  • Not giving your Social Security number, mother’s maiden name, account numbers or passwords to strangers who contact you, especially by phone, internet or email. Legitimate businesses will never contact their customers and ask for this information. If you are doing business with them, they will already have your pertinent information. If there is any question, contact the company directly with the contact information you have, not the phone numbers or email the stranger gives you.
  • Checking your credit reports and financial statements regularly. If you notice any suspicious activity on your accounts or bill, contact the bank or company immediately.  To obtain your annual free credit report, call toll free 1-877-322-8228 or go to www.annualcreditreport.com.

If you suspect that you or someone you know may be a victim of financial exploitation, please use the resources below for assistance.

Department of Justice - Elder Justice Initative

Contact the Department of Health & Human Services Administration on Aging abuse hotline by calling toll-free 1-800-677-1116. You will be directed to local contacts and resources to help with your specific situation.

Contact the National Center on Elder Abuse (NCEA) at 1-800-667-1116 or www.ncea.aoa.gov.

This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to This email address is being protected from spambots. You need JavaScript enabled to view it..

ITRC Fact Sheet 135
Business Best Practices:
For Small to Mid-Range Businesses


The following is a guide for the small to mid-size business (SMB) community to assist in planning, addressing, and dealing with issues that may expose the business to data breaches and/or identity theft. In order to conduct business, most companies must keep sensitive personal information in their files. Personally Identifying Information (PII) includes items such as names, Social Security Numbers, credit card information, or other financial account data that identifies customers or employees.

This information often is necessary to fill orders, meet payroll, or conduct other necessary business functions. However, if sensitive data is exposed to the wrong parties, it can lead to fraud, identity theft, or other serious consequences. Given the cost of a security breach, safeguarding personal information is just smart business. In addition to the direct costs, you also risk losing your customers’ trust and perhaps even defending yourself from legal action.

Some businesses may have the expertise necessary to design and implement an appropriate plan in-house. Others may find it helpful to seek a knowledgeable expert. The information in this guide is designed to assist you in identifying the risks to your business. When considering your “Best Practices” strategy, you will need to evaluate what information is required for your business to function, why this information is necessary, and what would be the consequences of exposure of this information. In other words, what is the “Risk Versus Reward Ratio” of collecting and keeping each class of PII?

Note: some reasons for collecting personal information may include:

  • Tax requirements
  • Insurance
  • Contractual agreements

Any additional information that your business collects should be carefully assessed for the risk versus reward benefit.

The key to a strong best practices policy is a six point approach to data and data security.

  • Step one is the assessment of what data you need, what data is required, and what data may be beneficial but ultimately unnecessary. Collecting and keeping only that data necessary for your business is always a best practice.
  • Step two is to identify, create and control the flow of data from the point of collection throughout the entire business operation. This includes when the data may be on the move whether it is moving in or outside of your business.
  • Step three is to determine who within the business needs access to the data to do their job. Controlling the access to data and restricting it to just those that must use the data is very important. You should not assume that those who currently have access to a class of data still need on-going access to that data.
  • Step four is to secure the data. Data storage is a key issue because how you store it may also determine what your legal obligations may be in the case of a data breach. Both digital data and paper files must be considered in this context.
  • Step five is to implement the use of proper data disposal procedures. Proper storage of PII will mean very little if the data becomes exposed when the intention is to dispose of the data. It will not do your business any good to keep data secure if it ends up in the dumpster behind your building, or a used computer is sent to recycling with data files on the hard drive. Properly dispose of what you no longer need.
  • Step six is to plan for what happens when something goes wrong or fails, and a data exposure occurs. There is no fool-proof system for securing all your PII data all the time. There is no way to protect against a truly determined thief, so your best efforts need to be directed towards reducing your risks where and whenever possible, and having a pre-existing plan if data exposure should occur.

It is most important that SMB executive staffs plan ahead. Create a plan to respond to security incidents. Look closely at what your business does, and how you do it. You must assess the information you have, identify those with access to it, and create effective policies regarding information safety. That being said, let’s look at some of the factors that affect data security:

Physical Security

Many data compromises happen when paper documents are lost or stolen. Of particular note is the frequency of exposure of PII through the disposal of paper documents without proper shredding. Appropriate storage is also a concern.

  • Store paper documents or files, as well as CDs, floppy disks, zip drives, tapes, and backups containing PII in a locked room or in a locked file cabinet.
  • Limit access to these documents to employees with a legitimate business need.
  • Control who has access keys and the number of keys issued. 
  • Require that files containing personally identifiable information only be taken out of secure storage when being used. Documents and data should be kept in locked file cabinets except when an employee is working on the file.
  • Remind employees not to leave sensitive papers out on their desks when they are away from their workstations.
  • At the end of the day, require employees to secure files, log off their computers, and lock their file cabinets and office doors.

Minimize your risk by implementing appropriate access controls for your building. Instruct employees how to report any incident if they see an unfamiliar person on the premises. If you ship sensitive information using outside carriers or contractors, encrypt the information and keep an inventory log of the information being shipped. Also use a shipping service that will allow you to track the delivery of your information.

Electronic Security

Computer security isn’t just the realm of your IT staff. Make it your business to understand the vulnerabilities of your computer systems, and follow the advice of experts in the field. It is necessary that executive(s) and/or officers of the company continuously update their knowledge of security exploits, and become even more aware of the human factor in most data exposures. The best security practices will fail if employees do not follow the protocols, or are dishonest.

General Network Security

Identify the computers or servers where sensitive personal information is stored. It is good practice to minimize the number of machines that store PII. Physical security of sensitive computers, as well as network security is easier when the number of machines is smaller. 

Identify all connections to the computers where you store sensitive information. You may be surprised at the number and types of connections that could be used to copy PII or transfer it outside your security zone. Connections might include the Internet, electronic cash registers, branch office connections, computers used by service providers to support your network, wireless devices (inventory scanners), blue tooth devices, USB devices, CD/DVD burners, and cell phones or PDAs. Each of these types of connections can offer both accidental and intentional exposure of sensitive data.

It is desirable to store PII on servers that are not also used as an Internet web server. There have been a significant number of data breaches in the past year due to incorrect web server permissions. If the PII is stored on a file server (not a web page server), then a host of possible problems are eliminated. 

Encrypt sensitive information that you send to third parties over public networks (like the Internet), and consider encrypting sensitive information that is stored on your computer network or on disks or portable storage devices used by your employees. Consider also encrypting email transmissions within your business if they contain personally identifying information. Many state laws do not consider an incident to be a breach IF the data was encrypted at the time of exposure. 

Regularly run anti-virus and anti-spyware scans on individual computers and servers on your network. It is vital to see that these programs are updated with the most recent definition files, and that Windows updates are enabled.

Check expert websites and your software vendors’ websites regularly for alerts about new vulnerabilities, and implement policies for installing vendor-approved patches to correct problems. Scan computers on your network to identify and profile the operating system and any open network services. If you find services enabled that are not in use, disable them to prevent hacks or other potential security problems.

Password Management

Control access to sensitive information by requiring that employees use “strong” passwords. Explain to employees why it is against company policy to share their passwords or post them near their workstations. See that password-activated screen savers lock employee computers after a short period of inactivity. Server policies should lock out users who don’t enter the correct password within a designated number of log-on attempts, although the policy can allow the employee to try again after a designated period of time. This policy has a major effect in stopping automated password cracking attempts. 

When installing new software, immediately change vendor-supplied default passwords to a secure strong password. Caution employees against transmitting sensitive personally identifying data such as Social Security numbers, passwords, and account information via email. Unencrypted email is not a secure way to transmit any information.

Laptop Security

Assess whether sensitive information really needs to be stored on a laptop. If not, delete it with a “data wiping” program that overwrites data on the laptop. Deleting files using standard keyboard commands isn’t sufficient because data may remain on the laptop’s hard drive. Data wiping programs are available at most office supply stores.

Restrict the use of laptops to only those employees who need them to perform their jobs. Even when laptops are in use, consider using cords and locks to secure laptops to employees’ desks. Also, if a laptop contains sensitive data, encrypt it and configure it so users can’t download any software or change the security settings without approval from your IT specialists. 

Additionally, train employees to be mindful of security when they’re on the road. Require employees to always store laptops in a secure place. They should never leave a laptop visible in a car, at a hotel luggage stand, or packed in checked luggage unless directed to by airport security. If it is ever necessary to leave a laptop in a car, it should be locked in a trunk. (For more on travel security measures reference ITRC Fact Sheet FS 134 - Business on the Move).


A firewall is software or hardware designed to block hackers from accessing your computer. It is preferable that you also use a router with a hardware firewall. This is a strong protective measure. Make sure you always have at least one firewall in operation. Remember to keep all firewall software updated. (For additional information on firewalls, please see ITRC Fact Sheet FS 119 - Direct Connections to the Internet).

Wireless and Remote Access

Determine if you use wireless devices like inventory scanners or cell phones to connect to your computer network or to transmit sensitive information. If you do, consider limiting who has the ability to remotely access the computer network. You can also make it harder for an intruder to access the network by limiting the number of wireless devices that can connect to your network. Encrypting transmissions from wireless devices to your computer network may prevent an intruder from gaining access through a process called “spoofing”—impersonating one of your computers to get access to your network. Consider using encryption if you allow remote access to your computer network by employees or by service providers, such as companies that troubleshoot and update software you use to process credit card purchases.

Detecting Breaches

To detect network breaches when they occur, consider using an intrusion detection system. To be effective, it must be updated frequently to address new types of hacking. Maintain central log files of security-related information to monitor activity on your network so that you can spot and respond to attacks. If there is an attack on your network, the log will provide information that can identify the computers that have been compromised.

Employee Training

A well-trained workforce is the best defense against identity theft and data breaches. Check references or do background checks before hiring employees who will have access to sensitive data.

Ask every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data. Employees should understand that abiding by your company’s data security plan is an essential part of their duties. Regularly remind employees of your company’s policy—and any legal requirement—to keep customer information secure and confidential. 

Know which employees have access to consumers’ sensitive personally identifying information. Pay particular attention to data like Social Security numbers and account numbers. Limit access to personal information to employees with a “need to know.” 

Train employees on how to recognize security threats. Tell them how to report suspicious activity and publicly reward employees who alert you to vulnerabilities. Require employees to notify you immediately if there is a potential security breach, such as a lost or stolen laptop. Impose disciplinary measures for security policy violations.

Have a procedure in place for making sure that workers who leave your employ, or transfer to another part of the company, no longer have access to sensitive information. Terminate their passwords, and collect keys and identification cards as part of the check-out routine.

Security Practices of Contractors and Service Providers

Your company’s security practices depend on the people who implement them, including contractors and service providers. Before you outsource any of your business functions— payroll, web hosting, customer call center operations, data processing, or the like—investigate the company’s data security practices and compare their standards to yours. Address security issues for the type of data your service providers handle in your contract with them. Insist that your service providers notify you of any security incidents they experience, even if the incidents may not have led to an actual compromise of your data.

Document Disposal

Leaving credit card receipts or papers or CDs with personally identifying information in a dumpster facilitates fraud and exposes consumers to the risk of identity theft. By properly disposing of sensitive information, you ensure that it cannot be read or reconstructed. Implement information disposal practices that are reasonable and appropriate to prevent unauthorized access to—or use of—personally identifying information. Reasonable measures for your operation are based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology. Effectively dispose of paper records by shredding, burning, or pulverizing them before discarding. Make shredders available throughout the workplace.

Rules for the Company

There should be a person in your company or organization that audits information and tracks who has access to PII files or records. This person should be the first person notified in the event information is misplaced or lost. This way, a response team can be alerted to follow a pre-established protocol regarding information containment as well as implement the steps which need to be taken at that time by the company or agency.

Point of Contact for Data Breaches

There should be a person in your company or organization that audits information and tracks who has access to PII files or records. This person should be the first person notified in the event information is misplaced or lost. This way, a response team can be alerted to follow a pre-established protocol regarding information containment as well as implement the steps which need to be taken at that time by the company or agency.

Security Check: Reducing Risks to your Company

When consumers open an account, register to receive information, or purchase a product from your business, it’s very likely that they entrust their personal information to you as part of the process. If their information is compromised, the consequences can be far-reaching. Consumers, if victimized by the data exposure, can become less willing – or even unwilling – to continue to do business with you.

Company Rules 

Now it is more important than ever that companies have established, well-document policies for the collection, storage, protection and disposal of personal information. More companies are finding themselves being held responsible for the data they collect. This becomes apparent when a company has a data breach that is nothing more than a classic mishandling of information. Across the United States, attorneys are holding these companies to a higher standard. The companies that do not have clearly defined programs and policies find themselves unable to defend themselves in a court of law. It is imperative to put all protocols in writing.

If it is not in writing, then there is little or nothing to protect you in a court of law. A verbal policy is not really a policy.

When adopting a “Best Practices” strategy, consider the following:

  • What information does your business need to function?
  • What information is required to function?
  • What is the risk versus reward value of additional information?
  • When evaluating your business’ security, you need to follow the flow of information so you can identify the potential problem spots.

Some Questions to Ask Yourself 

Do you receive or collect PII from:

  • your customers?
  • credit card companies?
  • banks or other financial institutions?
  • credit bureaus?
  • any other source?

How does your business receive or collect personal information?
Does it come to your business:

  • through a website?
  • by email?
  • through U.S. Mail?
  • transmitted through cash registers in stores?
  • by face-to-face interactions?

What kind of information do you collect at each entry point?

  • Social Security numbers
  • Credit card numbers
  • Driver’s license numbers
  • Checking account information
  • Other financial account information
  • Passwords
  • Other general information (such as telephone, address, date of birth)

Where do you keep the information you collect at each entry point?
Is it in maintained or stored in/on:

  • a central computer database?
  • individual laptops?
  • disks or tapes?
  • file cabinets?
  • branch offices?
  • an employee’s home files?

Who has or could have access to the information?

  • All employees
  • Selected employees
  • Consultants
  • Service providers
  • Outside sub-contractors*
  • Temporary/employment agency
  • Non-employees on official business
  • General public

* for example, billing department, janitorial, call center, laboratory, marketing firms, payroll, credit card processing company, check processing company, mail fulfillment house

If you don’t have a legitimate business need for sensitive personally identifying information, don’t keep it. Don’t even collect it. If you have a legitimate business need for the information, keep it only as long as it is necessary.  

The most effective data security plans deal with four key elements: physical security, electronic security, employee training, and the security practices of business relationships.

Related Resources:


This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to This email address is being protected from spambots. You need JavaScript enabled to view it..

ITRC Fact Sheet 134
Business on the Move for the Business Traveler

The business traveler often carries electronic storage devices and documents for reference or work while on planes, in hotels, and in the spare time between meetings. There is often information you may need in case your office or a customer contacts you during your trip. However, some of the information included may be sensitive personally identifying information (PII). PII includes Social Security numbers, employee identification numbers, addresses, insurance policy numbers, credit card or payroll information, financial account numbers, and other items that could be readily used by an identity thief.

Business travelers must stay alert for situations that an identity thief might use to try to steal this information, and also guard against inadvertent loss or exposure of PII. Any person could be looking for the opportunity to gain access to sensitive information in your possession, waiting for a good opportunity. In this respect, you should not trust anyone you meet with any PII. Housekeeping staff, bellmen, security guards, TSA agents, front desk clerks, and many others you encounter during your trip could have the opportunity to access your data if you are not aware.

You must realize that once you remove PII from your office, you are solely responsible for its protection and security. In addition, even inadvertent exposure or loss of such information (without theft involved) could trigger state breach laws which can require:

  • Law enforcement data exposure notification
  • Consumer or customer notification of those exposes
  • Media notification

These data exposure events (data breaches) may cost your company money, consumer trust and negative publicity.  

Rules for the Road

The following items should be considered when you are on the move:

  • Laptops, Computer Storage Devices, and PDAs with personally identifying information (PII) – The best way to protect this information is by using data encryption to encrypt the device prior to leaving the workplace. While many people believe password protection is sufficient they can be bypassed by anyone with enough knowledge and capability. Encryption is the gold standard in data protection. Do not carry the encryption code in writing with you. Commit it to memory.

    Prior to beginning your trip, make time to consider which files really need to be carried on the trip. Although it is usually easier to do a “data dump” to your laptop, such action may expose large amounts of sensitive data to unnecessary risk. Take only those files which are likely to be needed during the trip.
  • Make an effort to keep your laptop in your control at all times. Be especially alert when going through airport security when crowds and security procedures may cause some chaos. Do not put your laptop through the security x-ray scanner until you are in position to be the next person through the metal detector. Thieves are waiting for those moments to distract you while an accomplice picks up your laptop from the opposite side of the x-ray scanner. By the time you get through the metal detector, your laptop is long gone.

    Other protective measures include: GPS tracking devices for the laptop; fingerprint readers to access laptop files; and remote wipe capabilities that enables you to delete all the information off a device in case you lose it or it is stolen. Finally, it is important to log out of your computer when it is not in use, even if it is for just a few minutes.
  • Paper Documents with PII – Sensitive documents should always be kept in a locked briefcase that is secured at all times. As in the case of data files, select only those files for the trip that are likely to be needed. Do not leave sensitive documents in baggage that must be checked for flight.

    If, during a trip particular documents become no longer necessary, see that they are shredded at the first opportunity. Most hotel business centers have crosscut shredders available for your use. Do the shredding yourself. All documents should be cross-cut shredded when no longer needed.
  • Hotel Safes – Be sure to take advantage of hotel safes if you are leaving your laptop, PDA or storage devices in a hotel room, even for a short period of time. Many persons have access to your hotel room when you are not there. Leaving any of your valuable items in the room, in this case PII, is providing an opportunity to a thief. You must recognize that the information you carry is a target for an identity thief.
  • Business Center Computers – There is always a higher risk in using a public computer. In addition to leaving information (history) on the computer about your cyber travels, there may be malware or viruses that have been installed on the computer. These might be a virus, key-logger, Trojan, or worm that you then allow to transfer to your company network when you log in to your company network. Key-loggers are programs that record and store each and every keystroke you make while using an infected computer. That keystroke data is quietly stored for later access by the thief. When it is retrieved, the thief will have an exact record of all the websites you visit, files you access, including your company network, and your user name and password that were used to access any accounts you visited. This information is a goldmine for an identity thief.

    A better choice would be to use your own laptop and connect to a hotel network while using a virtual private network (VPN).
  • Personal and Business checks – Leave personal checkbooks and checks at home. If necessary, keep business checks in a secure location (hotel safe) when not needed. Checking account takeover is one of the hardest types of financial fraud to remedy. ITRC recommends that you use cash, traveler’s checks or credit cards for purchases.
  • Leave bills at home – Taking personal bills and financial account information with you during your travels puts you at greater risk for identity theft. Unfortunately, many people have access to your room while you are away at meetings and victims have reported that financial account information and checking information has been stolen in this way.
  • Pickpockets – Business travelers should be aware that in addition to wallets, pickpockets are also looking for laptops and PDAs that are temporarily out of your control. This can easily happen at airports, in hotel lobbies and in restaurants. Remember, out of sight means out of control. Thieves may travel in pairs and watch where you put your belongings long before you know you are even a target.
  • Shoulder surfers – Many business travelers are tied to cell phones or PDA devices 24 hours a day. In public areas, identity thieves use “shoulder surfing” to gain access to your personal information. That term used to only apply to those who looked “over your shoulder” to see information. With the common use of cell phones, we forget that we are in a public venue and may talk about things that a thief can overhear and use. (This pertains to public payphones as well.) In other words, if you wouldn’t want to see it on a billboard, don’t talk about it on a phone in public. This includes PII as well as company proprietary information.
  • Mail – If you travel frequently, you might want to consider having a P.O. Box rather than allowing mail to accumulate in your mailbox. If you do not have a locked mailbox, and don’t want to get a P.O. Box at the post office, at least put your mail on “postal hold” while you are gone. 

Rules for the Company

There should be a person in your company or organization that audits information and tracks who has access to PII files or records. This person should be the first person notified in the event information is misplaced or lost. This way, a response team can be alerted to follow a pre-established protocol regarding information containment as well as implement the steps which need to be taken at that time by the company or agency.

For additional information about ways to reduce identity theft risk while traveling, please refer to:

ITRC Fact Sheet FS 122 - Identity Theft Travel Tips


This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to This email address is being protected from spambots. You need JavaScript enabled to view it..

ITRC Fact Sheet 133
The Military and Identity Theft

Checking Accounts 

The ITRC suggests that active duty personnel consider using online banking services in order to monitor and track bank account activity.   Please be aware of your environment (for example key loggers, spyware, shoulder surfing) when accessing accounts.

Placing an Active Duty Alert

An active duty alert is similar to a fraud alert in that it requires an inquiring creditor to verify that it is you who is attempting to open a line of credit. The difference is, unlike the 90 day fraud alert, this alert lasts for a year. Additionally, if you are deployed out of the country and cannot be contacted, you may appoint somebody you trust to act as your representative. 

Contacting CRAs by mail (see ITRC Solution SN 02 – CRA Contact Information)

  • Experian:  P.O. Box  9701, Allen, TX  75013-0949
  • Trans Union:  P.O. Box  2000, Chester, PA 19016
  • Equifax:  P.O. Box  740241, Atlanta, GA  30374-0441 

Send a letter asking for an Active Duty Fraud Alert to be placed and your credit report to be mailed to you (see ITRC Letter Form LF 133). Enclose the following items:

  • A copy of your driver’s license or state identification card
  • A copy of your Social Security card
  • A copy of your military identification card
  • A copy of your orders
  • A copy of a bill that shows your address of record, if address is different from the address on driver’s license or state identification card

Contacting Credit Reporting Agencies – Placing Alerts Online

Power of Attorney

Service members in the U.S. Military often consider granting a Power of Attorney to a spouse or a loved one before they are deployed. Although this can be a good idea, please be careful. 

Unfortunately, many service members have found out too late that the person they gave a General Power of Attorney to did not have their best interests in mind. They come home to find their bank accounts cleaned out, credit cards opened in their name, and other credit problems that are all legally possible due to a General Power of Attorney.

We suggest that you read the Explanation of Powers of Attorney put together by the Judge Advocate General office.  This document on Powers of Attorney covers issues like: how to stay safe when filing a POA, what you will need to grant a POA depending on POA category, and how to revoke it when you are ready to. The ITRC strongly suggests that you consult with the Judge Advocate General office for Command Legal Assistance prior to granting any Power of Attorney.


Identity Theft Resource Center

  • 24/7, Toll-free, no-cost victim assistance:  888-400-5530 (U.S. only)
  • www.idtheftcenter.org
  • ITRC Fact Sheet FS 124 – Fraud Alerts and Credit Freezes

Federal Trade Commission website: www.identitytheft.gov 


For further information visit the following links:


This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to This email address is being protected from spambots. You need JavaScript enabled to view it..


ITRC Sponsors and Supporters 





Go to top