A person holding a smartphone against an ominous background with a red circle.

People who are in or have left abusive relationships face very clear threats, including physical violence, sexual violence, emotional abuse, and verbal aggression. They may also come to realize they are being spied on or stalked—in person or virtually on their computers, phones, and connected devices. It can be frightening, but Consumer Reports has compiled a list of ways you can take back control.

Security and domestic violence experts say it’s critical to figure out how an abuser may be accessing information you haven’t shared, such as your physical location, who you’ve been speaking to, or details of personal conversations.

“You’re basically approaching the whole situation like you’re a detective,” says Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation.

People may assume that an abuser has installed stalkerware on their devices when the real explanation is simpler and can be addressed first, says Toby Shulruff, senior technology safety specialist at the National Network to End Domestic Violence. “The more common thing is that all of these everyday features of our phones are used for monitoring,” she says.

More on Digital Security & Privacy

Start out with the basics, like changing passwords and reviewing privacy settings on your accounts, Galperin says. An abuser may be getting information through shared calendar apps, social media check-ins, email being forwarded to another account, location sharing on navigation tools or other apps, or well-meaning friends who don’t know about the abuse.

Or the perpetrator could have physical access to your phone or be able to log in to your cellular account to look through call logs, text messages, and billing records.

Once you’ve looked into these access points, see if the situation persists. If it does, your problem could be stalkerware, software that’s covertly placed on computers or mobile devices that can intercept phone calls and text messages, and secretly record other information.

How to Get Help

Before taking steps to cut off an abuser’s access to your devices and accounts, bear in mind that in some cases it could be risky: An abuser could react with anger. But you don’t have to face the decision on how to proceed by yourself.

For help navigating your options and for emotional support, contact a domestic violence counselor or advocate. The National Domestic Violence Hotline has trained expert advocates who can walk you through ways to protect yourself and build a safety plan, and give you referrals to local domestic violence counselors. You can also call the hotline at 800-799-7233.

Shulruff recommends calling the hotline using a different phone from the one you suspect may be compromised. It’s best to use a device the abuser doesn’t have access to, such as a trusted friend or family member’s phone or a landline at work.

As an added precaution, you can keep the current phone you’re concerned about in a different location while you call, in case there is stalkerware on it, which could allow the microphone to be turned on without your knowledge.

There’s one more factor to consider before you act. Cutting off an abuser’s access to devices or accounts might make it more difficult to prove that digital abuse took place. If you’re planning on filing a civil restraining order or criminal report, or even reporting digital abuse to your email provider, a social media platform, or another company, it’s worth taking screenshots that could be evidence.

You can also consult a lawyer to get help figuring out how to best preserve evidence of digital abuse. The National Domestic Violence Hotline can point you to legal resources, including lawyers who are used to working with people who have low incomes.

Once you’re ready, here’s what you can do to secure your private information.

List Your Online Accounts

Make a list of any account that shares information with others. This might include:

  • Email accounts.
  • Social media accounts (Facebook, Instagram, Twitter).
  • Ride-hailing apps (Uber, Lyft).
  • Streaming media accounts (Netflix, Hulu).
  • Bank and credit card sites.
  • Cable, phone, and utility companies.
  • Computer and mobile device passwords or PINs.

Change Your Passwords

Next, change your passwords on accounts that contain personal information, and use a unique password for each account. Because it can be difficult to memorize a different password for each account, you can save those new passwords in a password manager that an abuser won’t have access to. After you change your passwords, you can log out anybody else who might be accessing those accounts. Make sure you don’t accidentally log yourself out before revoking an abuser’s access, because they could lock you out of your own account.

Set Up Multifactor Authentication

After changing your password, safeguard your accounts with another layer of defense by using multifactor authentication (MFA), sometimes called two-factor authentication (2FA). Once you enable it, you’ll need a second element (or factor) to log in, in addition to your password. That way, even if your password is compromised, it’ll be more difficult for an abuser to access your account.

Services implement MFA in a variety of ways. Receiving codes via text message or email is the only option for some online services. However, if you can, it is even safer to set up MFA using an authentication app, such as Authy. These apps are often recommended by security experts because codes sent by text message or email can sometimes be redirected or intercepted.

Don’t Forget Connected Devices

If you use any apps that control connected gadgets, such as smart lights, door locks, thermostats, and even fitness trackers, make sure to change the sharing settings and set up MFA for those as well. These apps can give away information such as when you’re home or when you’re exercising or out and about.

Secure Your Devices

If you’re an Android user or have a Gmail account, run through the security and privacy check on your Google account settings. 

On your Android phone, make sure that Google Play is set up correctly and no stalkerware apps have been loaded. You can do this by checking whether Google Play Protect has been disabled under Settings > Security > Google Play Protect. This setting scans your phone for harmful apps daily. It should be turned on, and the last scan should have happened within the past day. If the feature is turned off, you’ll want perform a factory reset on your phone.

If you’re an iPhone user, download Trail of Bits’ iVerify app, $3, and follow the steps listed to make sure your phone is secure. You can also follow steps to see if anyone has access to your accounts, actively stop sharing, and make sure no one else can see your location.

Watch Your Social Media Updates

You may inadvertently be sharing information with your abuser on social media. Even if your account is set to share only with certain friends or you have a stalker blocked on a public account, it’s possible that a mutual acquaintance is passing the information on. And if someone else tags you in a photo or checks in with you at a location or an event, you might be showing up to all their friends as well. Check your account security on Facebook, Instagram, Google, LinkedIn, and Twitter, and decide whether you want to change your privacy settings to limit access to your posts.

Pay Attention to Your Conversations

If it seems like an abuser is eavesdropping on all your conversations using stalkerware, is it possible that a well-meaning friend could be sharing information with them, instead? This can happen accidentally by people who aren’t aware of how dire the situation might be, or who an abuser has manipulated into sharing key details, for example by feigning concern for a target’s mental health.

Start by limiting the information you share to just a few trusted people. Ask your friends, family, and employer to keep your location data and any other sensitive information private, both online and in personal conversations.

Consider Antivirus Software

If you’re still concerned about stalkerware on your Windows computer or Android phone after following the steps above, you can download antivirus software that specifically detects the most common types. (While Consumer Reports also tests antivirus software, the recommendations below are specific to stalkerware.)

Eset, Kaspersky, and Trend Micro’s Android apps all did well in finding stalkerware in evaluations by independent testing organization AV-Comparatives, while BitDefender, Eset, Kaspersky and Norton tested well on Windows. Malwarebytes is also recommended by digital security experts specializing in protection against stalkerware.

If you find stalkerware on one of your devices, you can remove it by following the steps given by your antivirus software, but remember that you don’t have to remove it if you don’t want to. Leaving stalkerware on your computers or devices can help you collect evidence or avoid tipping off an abuser that you’re aware of it until after you’ve taken additional steps to increase your personal safety.

“The target is the person with the best assessment of their own appetite for risk and the likelihood that their abuser will escalate based on the knowledge that they have taken the stalkerware off their device,” Galperin says.