Cybersecurity 
You can protect your digital footprint by deleting any accounts you no longer use, adjusting your privacy settings, avoiding oversharing on social media and using a
6 min read
Published on July 26, 2023
Updated on January 3, 2024.
Shoulder surfing is a method of information theft in which a cybercriminal watches a victim from nearby to see any information they type or view on their screens. You may have noticed that the PIN pads at grocery stores have a protective shield surrounding the buttons. This shield is placed to prevent shoulder surfers from catching a glimpse of your PIN.
Continue reading to learn how shoulder surfing works, examples of shoulder surfing, what makes shoulder surfing a cybersecurity threat and how to protect your private information from this type of attack.
How Shoulder Surfing Attacks Work
Shoulder surfing works by an attacker looking over a victim’s shoulder to see what they are doing and stealing the private information displayed on their screen. In practice, an attacker could stand anywhere they can watch the victim. They position themselves strategically for a clear view and may even use surveillance devices like cameras or binoculars to commit theft and record sensitive information.
Shoulder surfers often choose public places where they can watch multiple victims at once. For example, they may stand near an ATM to collect the PINs of visitors. They could hang out and watch people in a coffee shop where guests commonly work on their laptops. Airports and public transportation like the subway are also common settings for shoulder-surfing attacks.
Anything that the attacker can see or hear – a screen, a keyboard, papers, phone calls or hand movements – is data they can use for malicious purposes.
Examples of Shoulder Surfing
Below are two examples of how shoulder surfing can occur.
Shoulder surfing at a coffee shop
Let’s say a person chooses to work remotely from their local coffee shop and doesn’t take precautions to prevent a shoulder surfer from seeing the sensitive information on their screen. If there is a shoulder surfer at the same coffee shop, they may choose to position themselves in a place where they can see just enough of their targeted victim’s screen.
Depending on the type of information the person has on their screen, the shoulder surfer can write down any information they think they’ll be able to use for malicious purposes such as for financial or identity theft. Below is what shoulder surfing at a coffee shop may look like.
Shoulder surfing at an ATM
Shoulder surfing at an ATM can happen in one of two ways. The first way is by the shoulder surfer installing a camera facing the PIN pad on the ATM so they can catch the PIN you enter and possibly a glimpse of your debit or credit card. The second way is by the shoulder surfer standing directly behind you and peeking over your shoulder.
If you’re not aware of your surroundings, a shoulder surfer may be able to gather your sensitive information while you withdraw or deposit money at an ATM. Below is what shoulder surfing at an ATM may look like.
How Is Shoulder Surfing Related to Cybersecurity?
Although shoulder surfing occurs in the physical world, it’s a cybersecurity issue. Any private information that can be seen on the screen of a victim’s device can be stolen. As the victim types passwords, checks their bank account, sits in on confidential work meetings or shops online, the shoulder surfer can record or memorize their data. The information that shoulder surfers can steal includes:
- Usernames and passwords
- PIN numbers
- Credit and debit card numbers
- Social Security numbers
- Bank account details
- Intelligence about the victim’s job
- Information about the victim’s friends and family
Once this sensitive data is stolen, the shoulder surfer returns to the digital world and can use what they learned to hack into accounts belonging to the victim. Shoulder-surfing attacks can lead to theft of money, account takeover attacks and even identity theft. It can also lead to leaks of confidential business intel, which can place a business at risk of suffering a cyber attack.
How To Protect Yourself Against Shoulder Surfing
Protecting yourself from shoulder surfing is a matter of being aware of your surroundings when you’re in public and using basic privacy measures like the following.
1. Use privacy screens on all your devices
Privacy screens are placed over the screen of your laptop, smartphone or tablet. It has a coating that makes it difficult to view the screen of the device from peripheral angles. This prevents shoulder surfing by limiting the ways that others can get a clear view of what you’re doing on your device.
2. Use your hand as a shield when typing sensitive information
Your hand can be a useful physical shield when in public to prevent shoulder surfers from seeing your data. Shield your keyboard or PIN pad in public when you’re typing passwords, PINs or other sensitive information. You can also shield your smartphone screen with your hand whenever you’re accessing sensitive data like logging in to your banking account.
3. Use a password manager to keep your passwords safe
A password manager is a tool that stores and protects login credentials. Password managers can help protect you from shoulder surfing since they autofill your credentials when you’re logging in to a website, meaning you don’t have to worry about shoulder surfers watching you as you type out passwords.
4. Maintain physical distance from people
If you can, maintain a physical distance from crowds when you are using your device in public to prevent people from peeking over your shoulder. If you are in an airport, for example, choose to work at a gate or cafe that isn’t crowded. Some airports even have privacy booths that you can rent to keep your screens away from curious eyes.
5. Position yourself strategically when working in a public place
If you are setting up to work on your laptop in public, be aware of how you’re positioning your laptop. It’s best to be up against a wall or in a nook where people can’t walk behind you or view your screen from an angle.
6. Adjust your screen brightness to a lower setting
Darkening your screen can make it harder to see what’s on it from a distance. Use this to your advantage when using your device in public places.
7. Don’t take phone calls or meetings in public places
It’s common to need to recite sensitive information on the phone. For example, if you’re making a purchase over the phone you may need to recite your credit card number. Meetings about confidential topics are also common. Don’t take these sensitive meetings or phone calls in public places. Wait until you are in private to prevent a shoulder surfer from stealing that information.
8. Lock your device when you’re not using it
If you’re not actively working, close up your devices, put them away and lock the screens. When you’re not paying attention, or when you’ve walked away for a moment to collect your coffee order, these are prime opportunities for shoulder surfers to get a clear view of your screen and memorize any sensitive information on display.
9. Avoid working on sensitive tasks in public
While the above steps can protect you, it’s best to avoid working on sensitive tasks in public altogether, in case a shoulder surfer is watching. Tasks that are best completed in private include:
- Logging in to bank accounts or retirement accounts
- Looking at databases with sensitive data
- Reading confidential documents
- Shopping online
- Filing your taxes
Guard Your Sensitive Data From Shoulder Surfers
It may seem like cybersecurity threats only exist online, but serious cyber attacks can start in the real world when someone catches a glimpse of your sensitive information. While shoulder surfers are dangerous, you don’t have to avoid looking at your devices in public places. You can protect yourself by being alert when using your devices in public and taking basic precautions.
To see how a password manager can help keep your passwords safe from shoulder surfing due to its autofill feature, start a free 30-day trial of Keeper Password Manager today.
