How to Shut Stalkers Out of Your Tech

    People facing domestic abuse can take these steps to lock down their devices and eliminate stalkerware

    person using a cell phone Photo Illustration: Consumer Reports, Getty Images

    People who are in or have left abusive relationships face very clear threats, including physical violence, sexual violence, emotional abuse, and verbal aggression. They may also come to realize they are being spied on or stalked—in person or virtually on their computers, phones, and connected devices. It can be frightening, but Consumer Reports has compiled a list of ways you can take back control.

    Security and domestic violence experts say it’s critical to figure out how an abuser may be accessing information you haven’t shared, such as your physical location, who you’ve been speaking to, or details of personal conversations.

    “You’re basically approaching the whole situation like you’re a detective,” says Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation.

    People may assume that an abuser has installed stalkerware on their devices when the real explanation is simpler, says Toby Shulruff, senior technology safety specialist at the National Network to End Domestic Violence. “The more common thing is that all of these everyday features of our phones are used for monitoring,” she says.

    More on Digital Security & Privacy

    Start out with the basics, like changing passwords and reviewing privacy settings on your accounts, Galperin says. An abuser may be getting information through shared calendar apps, social media check-ins, email being forwarded to another account, location sharing on navigation tools or other apps, or well-meaning friends who don’t know about the abuse.

    Or the perpetrator could have physical access to your phone or be able to log in to your cellular account to look through call logs, text messages, and billing records.

    Once you’ve looked into these access points, see if the situation persists. If it does, your problem could be stalkerware—software that’s covertly placed on computers or mobile devices that can intercept phone calls and text messages, and secretly record other information.

    How to Get Help

    Before taking steps to cut off an abuser’s access to your devices and accounts, bear in mind that in some cases it could be risky: An abuser could react with anger. But you don’t have to face the decision on how to proceed by yourself.

    For help navigating your options and for emotional support, contact a domestic violence counselor or advocate. The National Domestic Violence Hotline has trained expert advocates who can walk you through ways to protect yourself and build a safety plan, and give you referrals to local domestic violence counselors. You can also call the hotline at 800-799-7233.

    Shulruff recommends calling the hotline using a different phone from the one you suspect may be compromised. It’s best to use a device the abuser doesn’t have access to, such as a trusted friend or family member’s phone or a landline at work.

    As an added precaution, you can keep the current phone you’re concerned about in a different location while you call, in case there is stalkerware on it, which could allow the microphone to be turned on without your knowledge.

    There’s one more factor to consider before you act. Cutting off an abuser’s access to devices or accounts might make it more difficult to prove that digital abuse took place. If you’re planning on filing a civil restraining order or criminal report, or even reporting digital abuse to your email provider, a social media platform, or another company, it’s worth taking screenshots that could be evidence.

    You can also consult a lawyer to get help figuring out how to best preserve evidence of digital abuse. The National Domestic Violence Hotline can point you to legal resources, including lawyers who are used to working with people who have low incomes.

    Once you’re ready, here’s what you can do to secure your private information.

    List Your Online Accounts

    Make a list of any account that shares information with others. This might include:

    • Email accounts.
    • Social media accounts (Facebook, Instagram, Twitter).
    • Ride-hailing apps (Uber, Lyft).
    • Streaming media accounts (Netflix, Hulu).
    • Bank and credit card sites.
    • Cable, phone, and utility companies.
    • Computer and mobile device passwords or PINs.

    Change Your Passwords

    Next, change your passwords on accounts that contain personal information, and use a unique password for each account. Because it can be difficult to memorize a different password for each account, you can save those new passwords in a password manager that an abuser won’t have access to. After you change your passwords, you can log out anybody else who might be accessing those accounts. Make sure you don’t accidentally log yourself out before revoking an abuser’s access, because they could lock you out of your own account.

    Set Up Multifactor Authentication

    After changing your password, safeguard your accounts with another layer of defense by using multifactor authentication (MFA), sometimes called two-factor authentication (2FA). Once you enable it, you’ll need a second element (or factor) to log in, in addition to your password. That way, even if your password is compromised, it’ll be more difficult for an abuser to access your account.

    Services implement MFA in a variety of ways. Receiving codes via text message or email is the only option for some online services. However, if you can, it is even safer to set up MFA using an authentication app, such as Authy. These apps are often recommended by security experts because codes sent by text message or email can sometimes be redirected or intercepted.

    Don’t Forget Connected Devices

    If you use any apps that control connected gadgets, such as smart lights, door locks, thermostats, and even fitness trackers, make sure to change the sharing settings and set up MFA for those as well. These apps can give away information such as when you’re home or when you’re exercising or out and about.

    Secure Your Devices

    If you’re an Android user or have a Gmail account, run through the security and privacy check on your Google account settings.

    On your Android phone, make sure that Google Play is set up correctly and no stalkerware apps have been loaded. You can do this by checking whether Google Play Protect has been disabled under Settings > Security > Google Play Protect. This setting scans your phone for harmful apps daily. It should be turned on, and the last scan should have happened within the past day. If the feature is turned off, you’ll want perform a factory reset on your phone.

    If you’re an iPhone user, download Trail of Bits’ iVerify app, $3, and follow the steps listed to make sure your phone is secure. You can also follow steps to see if anyone has access to your accounts, actively stop sharing, and make sure no one else can see your location.

    Watch Your Social Media Updates

    You may inadvertently be sharing information with your abuser on social media. Even if your account is set to share only with certain friends or you have a stalker blocked on a public account, it’s possible that a mutual acquaintance is passing the information on. And if someone else tags you in a photo or checks in with you at a location or an event, you might be showing up to all their friends as well. Check your account security on Facebook, Instagram, Google, LinkedIn, and Twitter, and decide whether you want to change your privacy settings to limit access to your posts.

    Pay Attention to Your Conversations

    If it seems like an abuser is eavesdropping on all your conversations using stalkerware, is it possible that a well-meaning friend could be sharing information with them, instead? This can happen accidentally by people who aren’t aware of how dire the situation might be or who an abuser has manipulated into sharing key details, for example by feigning concern for a target’s mental health.

    Start by limiting the information you share to just a few trusted people. Ask your friends, family, and employer to keep your location data and any other sensitive information private, both online and in personal conversations.

    Look for Tracking Devices

    Consumers often use Bluetooth trackers such as AirTags or Tiles to keep tabs on physical devices they’re likely to misplace. Unfortunately, these can also be used for stalking. If you are concerned about being followed by someone using a physical tracker, there are two steps you can take. You can run scans with a phone app to see if they catch a device nearby (see details below), and you can physically search for the devices.

    If you do find a physical tracking device, you have options on how to respond. “My suggestions would depend on the target’s understanding of who is tracking them and how they are likely to react if that tracking stops or if they receive an indication that the target knows they are being tracked,” says Galperin.

    In some cases, you may choose to do nothing to avoid tipping off an abuser until you’ve taken additional steps to increase your personal safety. In other cases, you might choose to remove the battery or otherwise disable the device, or even to take it to law enforcement. Tile and Apple both provide instructions on how to disable an unwanted tracker.

    Physically Search for Tracking Devices

    “A thorough physical investigation should have a pretty high record of success,” says Adam Dodge, founder of EndTAB, an organization that provides training on staying safe from tech-enabled stalking, harassment, and abuse. If you’re being targeted using one of these devices, it’s most likely going to be planted on something that regularly moves with you. “That really narrows it down to vehicles, bags, or clothing,” he says. 

    Additionally, the AirTag itself might emit a sound alert as a warning that it has been separated from its owner, which can help you locate it. 

    We’ve provided images of some of the devices below.

    Trackers Tile Mate, Tile Pro, Tile Sticker, Tile Slim, Apple Air Tag, Samsung Tag+, Samsung Smart Things, Chipolo Chip, Chipolo Card
    Popular trackers, clockwise from lower left: AirTag, Tile devices, Chipolo trackers, Samsung SmartThings and SmartTag trackers

    Photo: Tile, Apple, Samsung, Chipolo Photo: Tile, Apple, Samsung, Chipolo

    Scan for Tracking Devices

    You can scan for some tracking devices electronically. (You may find a physical tracker an app doesn’t find, or vice versa. There may even be more than one.) You can download apps to help you look for Apple AirTags and Tile’s Bluetooth trackers, which are the most popular of these devices. However, not all trackers have detection apps, so you’ll still need to do a physical search.

    How to scan for AirTags: If you use an iPhone, Apple will send a security alert to your phone if an unknown AirTag is following you, if it’s not near the AirTag owner’s device. However, this doesn’t happen immediately. If you receive a security alert, tap the alert and follow the instructions, and check the “Find My” app under “Items.” Even If you don’t receive a warning on your phone, you can still check to see if there are any AirTags associated with your account on your iPhone.

    You can also scan for AirTags on an Android phone, though not as effectively. “Apple is very good at finding its own products, and other Bluetooth detection apps are not good at consistently finding AirTags,” Galperin says. Still, you can download Apple’s free Tracker Detect app to scan for nearby AirTags and to play a sound if one is found. You can also try the third-party app AirGuard

    How to scan for Tiles: To use Tile’s Scan and Secure feature, download the Tile app on your phone. (If you already have the app, make sure you have the latest version.) Then open the app, tap “Settings” at the top right corner of the screen, scroll down and select Scan and Secure, and tap “Continue.”

    Next, you’ll need to move some distance away from your original location to see if any Tiles are moving with you. Make sure to bring your purse, wallet, jacket, or items you typically carry with you. Be aware that taking public transit could lead to false positives if the feature detects Tiles or Tile-enabled devices used by other passengers. Instead, try walking, driving, cycling, or riding in a vehicle away from your home for the 10 minutes it takes the scan to run. 

    Consider Antivirus Software

    If you’re still concerned about stalkerware on your Windows computer or Android phone after following the steps above, you can download antivirus software that specifically detects the most common types. (While Consumer Reports also tests antivirus software, the recommendations below are specific to stalkerware.)

    Eset and Trend Micro’s Android apps both did well in finding stalkerware in evaluations by independent testing organization AV-Comparatives, while BitDefender, Eset, and Norton tested well on Windows. Malwarebytes is also recommended by digital security experts specializing in protection against stalkerware.

    If you find stalkerware on one of your devices, you can remove it by following the steps given by your antivirus software, but remember that you don’t have to remove it if you don’t want to. Leaving stalkerware on your computers or devices can help you collect evidence or avoid tipping off an abuser that you’re aware of it until after you’ve taken additional steps to increase your personal safety.

    “The target is the person with the best assessment of their own appetite for risk and the likelihood that their abuser will escalate based on the knowledge that they have taken the stalkerware off their device,” Galperin says.

    Headshot of Electronics freelance writer, Yael Grauer

    Yael Grauer

    I am an investigative tech reporter covering digital privacy and security. I'm the lead content creator of CR Security Planner, a free, easy-to-use guide to staying safer online. Prior to Consumer Reports, I covered surveillance, online privacy and security, data brokers, dark patterns, clandestine trackers, security vulnerabilities, VPNs, hacking, and digital freedom for Wired, Vice, The Intercept, Slate, Ars Technica, OneZero, Wirecutter, Business Insider, Popular Science, and other publications. Follow me on Twitter (@yaelwrites)