Rental Application: Anti-Fraud Checklist + Watermark (Practical Guide)

Why a rental application is a fraud target

A rental application is used to assess your situation (identity, address, employment status, income). But that same bundle of documents can also interest fraudsters because it combines several strong proofs (for example identity + income + proof of address). That is why an anti-fraud strategy should aim at two simple goals: minimize what you share and control how you share it.

What a landlord can request (and the framework to know)

In France, the list of supporting documents that may be requested from a rental applicant (and guarantor) is regulated by decree, and official pages summarize it. Service-Public.fr notably details identity, address, employment status and income documents, with lists of allowed evidence.

CNIL also reminds that a future landlord is entitled to request the documents needed to build the application (especially to assess solvency) and refers to the decree that defines the list of supporting documents.

Practical takeaway (without legal jargon): if someone asks for a document outside the allowed list or clearly disproportionate, you have a solid reason to request an alternative (or refuse). Even when the request is legitimate, you can still apply reasonable protections: contextual watermarking, redaction of unnecessary fields, and secure delivery.

Key principle: proportionality and minimization

The right reflex is not "send everything, every time", but "send what is necessary, at the right time, to the right person, in a controlled way". This matches the purpose of the file (assessing solvency and identity) and ensures only relevant documents circulate.

Ready-to-use anti-fraud checklist

This checklist is designed as a 10 to 15 minute procedure before each submission. It covers anti-scam checks, file preparation, watermarking, redaction, sending, and keeping evidence.

Box - Downloadable checklist (text / CSV)

Copy the table below for immediate use.

For a CSV file: copy the block below into a file named checklist_rental_application.csv (UTF-8 encoding, ; separator).

Checklist (table)

Step	Action (concrete)	Why	Done?
Check the listing	Search for the listing on other websites + verify price/address consistency	Spots the most obvious fake listings	☐
Check the recipient	Ask for the agency/landlord identity + an official contact channel	Reduces the risk of sending to an impersonator	☐
Limit the scope	Send only what is requested and justified by the allowed list	Less data = less risk	☐
Create a "send" version	Duplicate the files (never modify the original)	You keep your source version intact	☐
Rename clearly	Example: 2026-02-22_RentalApplication_Name_ForAgencyX.pdf	Traceability + less confusion	☐
Watermark each document	Add "Rental use - [recipient] - [date]"	Deterrence + contextualization	☐
Redact unnecessary fields	Hide national ID number, IBAN, internal identifiers, etc. (depending on context)	Reduces out-of-context misuse	☐
Test redaction	Verify that the hidden text cannot be copied / found again	Avoids a false sense of security	☐
Choose the delivery method	Prefer a time-limited link + restricted access	Fewer copies and better control	☐
Protect with a password	Encrypted ZIP or protected PDF if needed	Additional protection in transit	☐
Separate channel for the secret	Send the link by email, the password by SMS/call	CNIL recommendation	☐
Keep evidence	Screenshots + email + date + sent version	Useful in case of dispute or fraud	☐
Plan for deletion	Remove the link/access after the decision	Reduces exposure duration	☐

CSV file (UTF-8) to import into your tool / spreadsheet

The block below repeats the checklist in a simple format (; separator) for a spreadsheet or tracking tool.

You can adapt it (status, notes, file name, recipient) to match your workflow.

Step;Action;Why;Status;Notes
Check_listing;Compare listing on other websites and verify consistency;Detect fake listings and inconsistencies;To_do;
Check_recipient;Ask for official agency/landlord contact details;Avoid sending to an impersonator;To_do;
Limit_scope;Send only the required documents;Data minimization;To_do;
Duplicate_files;Create a \"send version\" copy;Preserve originals;To_do;
Rename_files;Name with date plus recipient plus type;Traceability;To_do;
Watermark;Add contextual watermark on each document;Deterrence and proof of context;To_do;
Redaction;Hide non-required fields;Reduce identity misuse risk;To_do;
Test_redaction;Test copy/search of text;Avoid fake redaction;To_do;
Delivery_mode;Use expiring link plus restricted access;Limit distribution;To_do;
Password;Encrypt if needed (ZIP/PDF);Additional protection;To_do;
Separate_channel;Send password via separate channel;CNIL recommendation;To_do;
Keep_evidence;Archive email/screenshots/sent version;Incident handling;To_do;
Remove_access;Remove link/share when no longer needed;Reduce exposure;To_do;

Watermark: recommended settings and ready-to-copy templates

A watermark does not mechanically prevent fraud, but it reduces out-of-context reuse (for example a scan shared elsewhere) and creates a trace: who the document was intended for, on what date, and for what purpose.

Simple settings that work well

Keep the text short, without ultra-sensitive data (avoid adding your full address, document number, etc.).
Placement: central diagonal (or a light repeated pattern if you worry about cropping).
Opacity: low to medium (the goal is to hinder reuse, not make the file unreadable).
Repetition: useful on documents that are easy to crop (for example ID scans).

12 watermark text templates (copy/paste)

RENTAL APPLICATION - Single use - [Agency/Landlord name] - [DD/MM/YYYY]
COPY PROVIDED FOR SOLVENCY REVIEW ONLY - [DD/MM/YYYY]
CONFIDENTIAL - DO NOT SHARE - [Recipient name]
DOCUMENT SENT TO [Recipient name] - Any reuse prohibited
RENTAL - APPLICATION - [Recipient name] - [Listing ref]
PROOF FOR VIEWING / FILE REVIEW - [DD/MM/YYYY]
TENANT FILE - WATERMARKED VERSION - [Recipient name]
COPY FOR REVIEW - NOT VALID FOR OTHER USE - [DD/MM/YYYY]
RENTAL USE ONLY - [Recipient name] - [City]
SENSITIVE FILE - LIMITED SHARING - [DD/MM/YYYY]
SENT FOR RENTAL REVIEW - Please delete after decision - [DD/MM/YYYY]
RECIPIENT: [Recipient name] - FILE ID: [XXXX]

Tip: if you want a more operational watermark, use template 1 and add a simple internal identifier [DL-2026-02-22-01] (without personal data).

Step-by-step watermarking procedure (all platforms)

The simplest method (Windows / Mac / Android / iOS) is to use a web watermarking tool:

Open the watermarking tool.
Import the PDF or image.
Choose a text (one of the 12 templates), position, opacity and repetition.
Generate and download the watermarked version.
Rename it immediately with the date + recipient (traceability).

Possible CTAs to place on the page / website:

"Generate my 'Rental application' watermark (pre-filled)"
"Download the 12 templates"
"Receive the checklist by email"
"Try watermarking 1 document for free"

To go further, also see our watermark guide and our article how to protect your personal documents before sending them.

Redaction: what to hide and how to do it correctly

Redaction means deleting or making certain sensitive information permanently unreadable. The critical point: visually blacking something out (annotation) is not always the same as removing the information, especially in a PDF where text may remain copyable.

The goal is to keep what proves the situation (identity, solvency, employment) while reducing data that can be easily reused out of context.

Security rule: annotation != deletion

If you use a true redaction tool, it should permanently remove sensitive content and ideally hidden data as well (comments, layers, metadata). Adobe documents this principle with its PDF redaction tool.

Quick test (do this every time):

Open the final PDF.
Try to select / copy text around the redacted area.
Use Search: if the hidden word is found, it is not real redaction.

What to redact on a payslip (fictional before / after example)

Payslips often contain identifiers and details that are not needed to assess solvency. The idea: keep what proves income and employment, while limiting what makes identity misuse easier.

Before (fictional)

Name: Camille Martin
Full address: 12 rue Exemple, 75000 Paris
National ID / social security number: 2 86 ...
Employer + company registration, period, net salary, totals, etc.

After (fictional, often recommended)

Keep: first/last name, period, employer (at least the name), net pay, and optionally gross total if requested.
Redact: national ID/social security number, full address if not required, internal identifiers (employee ID), IBAN if visible, internal codes/QR codes.
Recommended watermark: RENTAL APPLICATION - Single use - Agency X - 22/02/2026
Then test the result (copy/search) before sending.

Important: what to hide depends on what is actually requested. If a field is explicitly requested, ask for an alternative (for example a certificate) instead of guessing.

What to redact on an ID document (fictional before / after example)

In a rental file, an ID document may be part of the allowed documents. The goal is to add context (watermark) and reduce out-of-context reuse without making the document unusable.

Before (fictional)

ID card / passport / driver's license: photo, name, date of birth, document number, MRZ (machine-readable zone), etc.

After (fictional, depending on recipient acceptance)

Keep: photo, name, key dates, validity period, issuing authority.
Optional (to be validated): hide part of the document number or the MRZ if the agency accepts a less reusable proof.
Add a very visible watermark (central diagonal), because cropping is common on scanned IDs.
Recommended watermark: COPY PROVIDED FOR RENTAL - Agency X - 22/02/2026 - DO NOT SHARE

Free step-by-step procedures (Windows / Mac / Android / iOS)

Below are realistic free methods. For long files, a dedicated redaction solution (often paid) is more comfortable, but these workflows can already give you a good level of protection.

Windows (free)

Option A (simple and robust): redact via image (rasterization)

Open the PDF.
Display the page containing the sensitive information.
Take a screenshot (Snipping Tool).
Open the image in Photos / Paint and hide the information.
Repeat for each required page.
Rebuild a PDF (for example "Microsoft Print to PDF"), then apply a watermark if needed.

Option B (PDF annotation for marking, then export)

You can annotate a PDF with the built-in Microsoft Edge reader (highlighting / annotations).

Warning: a black annotation is not always deletion. Always run the "copy / search" test.

macOS (free)

Option A (simple): screenshot + redaction on image

Open the PDF.
Take a screenshot of the area / page (Shift + Cmd + 4).
Open the screenshot in Preview and hide the fields (black shapes).
Export as PDF (or group several images, then export).
Apply a watermark afterward if needed.

Option B (iPhone -> Mac Continuity annotation)

Apple documents annotation workflows ("Markup") via iPhone / iPad to work on documents and images.

Again: test that the information cannot be recovered (search / copy).

iOS (iPhone / iPad) (free)

On iPhone / iPad, you can annotate a PDF or an image using Apple markup features (shapes, text, highlighting).

Recommended method (simple for a photo ID)

Open the image of your ID in Photos.
"Edit" -> Markup tool.
Add an opaque black rectangle over the areas to hide.
Save a "send version" copy (keep the original intact).
Apply a watermark afterward (web tool) if needed.

For a PDF: if you cannot guarantee the annotation removes the information, prefer an image version (page screenshot) for the most sensitive pages, then assemble into a PDF if needed.

Android (free)

ID document (image)

Open the photo in Google Photos.
"Edit" -> draw / markup.
Hide the sensitive fields.
Save a copy dedicated to sending.

PDF

For one or two pages: screenshot + redaction on image (similar approach to Windows / macOS).

For a large file: prefer a recognized redaction solution (even paid if used frequently), because the page-by-page screenshot method becomes time-consuming.

Send the file securely (and keep proof)

The risk does not come only from what you send, but also from how you send it. CNIL provides very practical security precautions for sensitive documents sent to third parties.

Recommended best practices (simple and effective)

CNIL notably recommends:

encrypting sensitive files when needed;
using protocols / services that ensure confidentiality and authentication (for example HTTPS, SFTP);
sending the secret (password / key) through a separate channel;
limiting availability duration and restricting access to authorized recipients.

From recommendations to practical actions

In practice, you can turn these recommendations into simple actions:

Prefer a private link (drive / server) with expiration and access restrictions whenever possible.
If you protect the file (ZIP / PDF), send the link by email and the password by SMS or phone call (separate channel).
Remove access (or delete the link) as soon as a decision has been made.

Sending email template (copy/paste)

Subject: Rental application - [First name Last name] - [Property address]

Hello [Name / Agency],

Following our discussion about the rental of [address/area], you will find my application file via the link below:

Link (restricted access): [URL]
Available until: [DD/MM/YYYY]
File ID: [DL-XXXX]

For security reasons, the password (if needed) is sent through a separate channel.

Please confirm receipt and, once your decision has been made, deletion of unnecessary copies.

Kind regards,
[First name Last name]
[Phone]

What to do if you suspect fraud or identity misuse

Even with precautions, doubts can arise: a strange listing, a recipient insisting on unusual documents, or signs that your data has been used. The goal is to act quickly, document what happened, then follow official procedures.

Immediate actions: first reflexes

1. Stop the spread

Remove access to the link (revoke it).
Change the password if you used a protected ZIP / PDF.

2. Document everything

Keep emails, SMS messages, URLs, screenshots, sent versions, date / time.
Keep a simple timeline: who, when, what, through which channel.

3. Alert the relevant organizations if misuse is observed

The official Service-Public identity theft portal reminds that a victim may file an incident report when there is suspicion, then file a formal complaint once an offense is established. It also details procedures by domain (financial, administrative, digital).

In financial identity misuse cases, actions may include informing banks / financial institutions and performing checks (for example via mechanisms mentioned by public sources).

CNIL also explains response steps (complaint, online pre-complaint, etc.) and recalls the legal framework.

For general public guidance, recent French public service pages (economie.gouv.fr, Banque de France, Service-Public) also provide prevention and response pointers.

Message templates (ready to send)

Message to the recipient (request deletion / clarification)

Hello,

For security reasons, please confirm:
- your identity / role (agency/landlord) and official contact details;
- the exact use of my documents and their retention period;
- deletion of any unnecessary copies.

Without a clear reply, I will remove access to the file.

Kind regards,
[Name]

Message to an organization claiming an unpaid debt / credit you did not take

Hello,

I formally dispute being the originator of [contract/credit] referenced [ref].
I am attaching [complaint/incident report] and request the immediate suspension of any proceedings against me, as well as the disclosure of the elements used to open it (date, channel, supporting documents).

Kind regards,
[Name + contact details]

Where to find official procedures

The Service-Public "Identity theft" guide explains the steps (incident report in case of suspicion, complaint when an offense is established), useful evidence, and domain-specific procedures.

CNIL also details the available options (complaint, online pre-complaint) and the supporting documents sometimes requested depending on the type of misused information.

In addition, Banque de France and economie.gouv.fr pages can help you structure your response depending on the situation (banking, credit, administration, digital misuse).

Legal notes, CNIL compliance and limits

Proportionality: the file is meant to assess the situation / solvency; requested documents should remain relevant and within the regulated scope.
Sending security: applying simple measures (restricted access, limited duration, separate channel for the secret) is consistent with CNIL precautions.
Fictional examples: document and message examples are provided for educational purposes only.
No absolute promise: watermarking + redaction + secure sending reduce risk without guaranteeing fraud becomes impossible.
Useful internal links: keep our watermark guide and the article how to protect your personal documents before sending them handy to complete your process.

The right goal is not perfection, but a repeatable procedure: verify, limit, watermark, redact, send properly, keep proof.

Mini FAQ: rental application, watermark and anti-fraud

Quick answers to complete the checklist and avoid the most common mistakes.

Should I watermark every document?

Yes, ideally every document you send, using the same context (recipient + date), so that one non-watermarked page cannot circulate on its own.

Is a watermark enough against fraud?

No. It helps add context and deter reuse, but it should be combined with secure delivery and, when needed, redaction.

Can I send a file by regular email?

It is possible, but a restricted-access / expiring link is preferable. If you encrypt the file, send the password through a separate channel, as CNIL recommends.

How can I be sure my redaction is permanent?

Test it: search for / copy hidden text. For permanent removal, prefer a dedicated redaction tool (for example a PDF redaction tool documented by the editor).

What should I do if I think I sent my file to a fake listing?

Remove access, keep evidence, then follow official procedures (incident report in case of suspicion, complaint if an offense is confirmed).