What Is Shoulder Surfing? How It Happens & How Do You Protect Yourself From It

Home Security Heroes independently tests and reviews every product. We may earn a commission when you buy through our links. Read more here.

Rahul Sharma
Writer
Dolores Bernal
Editor
September 18, 2023
What Is Shoulder Surfing? How It Happens & How Do You Protect Yourself From It

Image by wayhomestudio

Have you ever noticed someone looking over your shoulder at the ATM? They are probably shoulder surfing to steal your PIN. It has happened to me a few times. In one such instance, I stopped, then turned back and confronted the man. 

I told him that he was crowding my space, and I was uncomfortable. Then, I asked him to step back and let me finish. I made sure he knew I was not making a request. He said he was sorry and backed off.

Shoulder surfing is not some new-fangled scam. This type of scamming has been around since the 1980s. Thieves would spy as users punched in calling card numbers and called from public pay phone booths. The scammer would then steal the calling card data for personal long-distance calls or trade them cheaply in the marketplace.

Skilled hackers like their anonymity and use various tactics. According to FTC data, customers reported losing about $8.8 billion to fraud in 2022, an increase of more than 30 percent from the year before.

Do you want to know the tactics people use to do shoulder surfing and how you can protect yourself? Keep reading as we deep dive to find out! 

What Is Shoulder Surfing?

Shoulder surfing is a type of social engineering technique. The criminal uses tactics by peering over the shoulder of the victim to observe the keystrokes on a phone, laptop, or ATM. 

They may steal your personal identifiable information, including PIN numbers, usernames, passwords, and other sensitive information. They may even pinch details by listening to a conversation or eavesdropping.  Consequently, identity theft may occur as the thief uses your personal data for monetary gain.

According to an NYU study, 73 percent of the participants said they had viewed the confidential PIN of other people without their knowledge.

Shoulder Surfing Examples and Where They Can Happen

Attack Unsecured Laptop royalty-free vector graphic

Image by Mohamed Hassan

These are the most frequent examples of shoulder surfing and where they may happen.

1. At The ATM

So, there you are, casually typing in your PIN with no care in the world, not paying too much attention or carelessly talking to your significant other over the phone.

Meanwhile, the guy behind you is watching your actions with great interest. And boy, does he hit the jackpot! Unwittingly, you just handed him over the keys to your bank account. 

Shoulder-surfing scammers are the modern thieves; they find creative yet sneaky ways to make their moves at the ATM.

  • Observing: The guy behind you at the ATM may be watching you type your PIN. Suppose you leave in a hurry without exiting correctly on the machine; it allows the thief to steal your money. If the ATM does not require your card, all the thief has to do is press yes, when the ATM asks if they want to continue. Then, the thief can withdraw your funds. 
  • Recording or filming you:  A few shoulder surfers may install tiny video cameras at ATMs so they can see your personal identification number (PIN) inputs and card data.
  • Spying devices: Other thieves may wait in their vehicle in the parking lot and steal your information using binoculars and hi-fi listening devices.
  • Skimming: Scammers will attach small devices to an ATM that can read what you type and steal financial data. 

2. Accessing Mobile Banking Services In Public 

Online Banking Banking Operations

Image by Gerd Altmann

Using your mobile banking in public may feel like an ordinary activity, but it allows shoulder surfers to access your data. 

For example, say you are at the supermarket or airport and want to access your funds. You need to verify your bank account so it can launch the app. So, you swiftly enter your information.

Someone behind you can see the credentials you used to sign in. Later, the hacker will access your bank account with the same information they spied on when you used it.

3. Overcrowded Areas

Imagine you are out with your homies at a restaurant or bar and want to put funds in your account to cover the tab. A shoulder surfer may be standing close and can see you typing your credit card details. They will drain your bank account. 

In another instance, a victim may unintentionally leave their device alone in public to use the restroom. But wait, the thief has just watched the victim type their username and password into the instrument and can quickly use the information to unlock the device and expose private information.

4. Public Transportation

Trust me; it is not the best experience. Once my mobile device went missing while traveling on vacation, fraudsters gained information about my bank details, digital wallets, and email. They could even change my passwords and log me out of my accounts.

Hackers can easily view the mobile phone displays of others and overhear their conversations on overcrowded public transportation. Think about it. You often use a phone while on public transit. But shoulder surfers are in the ideal position to read your data. They may take your phone or wallet and obtain control over your private data. 

5. Public WiFi

Hacker Data Theft Hacking

Image by Mohamed Hassan

If you log into accounts while using the WiFi at a nearby cafe, your valuable data may be in danger of breach. Additionally, without the support of a VPN, hackers can steal private information exchanged over a public WiFi network.

Unfortunately, you will have yet to learn that it is taking place. The attacker gathers all your information from a distance while you are busy on Facebook, Instagram, or doing other work.

6. Phone Conversations In A Public Place

Consider a scenario in which your son calls you on the phone and wants your credit card information to make a purchase online. Now: as you read your bank and credit card number or other personal data aloud, an attentive shoulder surfer can hear your discussion and note your personal details. Scammers may not always watch you type; they may also listen to what you are saying.

7. Using The Laptop In Public

Browsing financial accounts on a laptop in public is a no-no and less secure than you believe. A shoulder surfing attack can occur while working at a public location. Since a laptop screen has more visibility from a distance than a mobile device, shoulder surfers have the perfect chance to gather sensitive data.

You could be logging into your accounts, not knowing that someone is observing the screen. Shoulder surfers may copy your account details and use them for hacking.

What Are the Negative Effects of Shoulder Surfing?

Shoulder surfing can have severe repercussions, including identity theft and trading your data on the dark web to drain bank accounts. You may have to take precautions to avoid these attacks. In 2022, the FTC website received over 1.1 million complaints about identity theft.

The consequences depend on the volume of information the hacker obtains. For instance, the attacker gets access to social networking accounts, credit card details, and financial data.

Identity thieves can exploit credentials like your Social Security number (SSN) to start new accounts, request loans, and access your health insurance. Attackers use this health insurance to get medical care or apply for government benefits under your name.

Furthermore, control over this data allows them to economically ruin people by making bogus financial transactions. As a result, it can lead to further legal damage, such as leaving you in massive debt or damage to credit scores, and legal troubles.

Tips For Preventing Shoulder Surfing

Technology relationship and generation concept discontent angry man holds smart phone device

Image by wayhomestudio

1. Ensure Your Passwords Are Strong

A secure password manager can support you with memorizing many complex passwords. The application lets users save and store all their passwords and user names while offering simple ways to access them whenever needed. If a user needs to sign in to an account maintained on the password manager, they do not have to enter a password to sign in. 

Since complex passwords are challenging to keep track of, consider using a safe password manager like 1Password. The application generates complex, difficult-to-crack passwords and maintains all your passwords and sensitive data in an encrypted vault. 

2. Keep Potential Scammers Away

When typing your PIN, hide the ATM keyboard. Shoulder surfers cannot steal something their eyes cannot see. Place yourself between the confidential data and all those who can see it. While typing passwords, for instance, hide the keys on a PIN pad with your other hand or lean on a wall to keep the device close to your body.

3. Watch Your Surroundings

Never allow your guard down in public places. Hackers are likely to attack those they perceive to be the most vulnerable. If you get easily distracted, you may not be aware that someone is paying attention to what you do, say, or type.

4. Privacy Screens Are Handy

You can have privacy filters attached to your device surface. They are also called physical filters or privacy screens. These can reduce your screen viewing angle. Privacy filters restrict others from reading your display from any direction except straight, thus rendering it hard for anyone to see whatever you do from afar.

5. Secure With Two-factor Authentication

Two-factor authentication adds a layer of protection. It even allows access to an alternative means of authentication, like emailing a verification code or making a phone call to sign in. 

If you enable two-factor authentication, your bank will send a one-time code for logging in that is only valid for some time. Even if someone has the user sign-in details, they cannot use the verification code. 

6. Sign in With Biometrics Features

If you want even more safety, enable biometric authentication when logging into your devices or banking online. Thieves find it hard to hack accounts that use security mechanisms such as fingerprints or face recognition features. 

7. Do Not Use Personal Information on Public Computers Networks.

Spyware meant to steal your personal data may attack public computers in libraries, hotels, or business centers. Stay away from using such systems and input sensitive credentials.

8. Watch Your Bank Records Regularly

If a shoulder surfer steals and uses your private data to get access to your accounts, immediately identifying it may reduce the harm.

Check your bank accounts and weekly financial statements. When you see a questionable transaction, notify your bank right away. Many safety protocols are already in place across most banks. Watching for signals of criminal activity may help you with damage control.

9. Check Credit Reports

If you see evidence of fraud on your credit report, you can activate an alert for fraudulent activity and protect your credit score from damage. A fraud monitoring system tracks all accounts and notifies you about any questionable activity. 

Also, you do not have to constantly watch your credit report if you use Aura’s credit monitoring service. They monitor activity on your SSN, bank, and personal accounts and alert you if something illegal occurs.

✎  Related: What is Credit Monitoring?  ➔

10. Device Updates

Security patches can fix recognized weaknesses while shielding your device from future threats. They are usually a part of software updates. To stay safe, see that operating systems and apps on all your devices remain updated.

Keep Personal Information Safe and Secure Always

In a nutshell, being vigilant and taking the required steps can reduce the likelihood of somebody accessing your private data for identity theft or other cybercrimes. The FTC recorded 2.8 million consumer fraud complaints in 2021.

Shoulder surfing can happen anywhere, so remaining mindful of your surroundings is essential. If you detect someone acting suspiciously or trying to spy on your screen, move to a safe area instantly.

Likewise, implement strong passwords and use a single-sign-on password manager such as Aura Password Manager or Nordpass

Pick an identity theft protection service like Aura to secure your digital footprint in a single move and to monitor the web for indications of a stolen identity.

Try using a Virtual Private Network or VPN like Surfshark, ExpressVPN, or Windscribe. VPNs guarantee your data encryption at all times. They mask your IP address. ISPs can see you. 

In other words, using reliable anti-virus software like Norton, McAfee, or AVG will prevent hackers from gaining control over data on your mobile devices or PC.

Here is why: Thieves can effortlessly hack outdated software. But a trusted and up-to-date anti-virus program is an impenetrable fortress.

To know more about protecting your financial information, you may find these articles helpful.

Last Updated on