Shoulder surfing: What it is and how to keep prying eyes away

The average American checks their phones 205 times per day, according to a recent survey — creating countless opportunities for shoulder surfers to sneak a glance at sensitive information. Whether you’re entering passwords, reading emails, or making payments, using your devices in public increases the risk of somebody stealing your data.

Discover how thieves use shoulder surfing to steal information, and learn some tips to help protect yourself from becoming a victim.

What is shoulder surfing?

Shoulder surfing is a social engineering technique where a thief secretly watches you enter valuable information, like your password, PIN, or credit card number, and then steals it. It most often happens in public places like coffee shops, airports, or ATMs, when you’re entering information on an electronic device while someone discreetly observes you.

If a shoulder surfer uses the stolen information to access your financial accounts or open new ones in your name, it can escalate to identity theft.

How shoulder surfing attacks work

Shoulder surfing attacks involve a thief observing a victim to steal information. The practice dates back to the early 1980s, when criminals would watch people enter calling card numbers at payphones, then steal these numbers to sell them or make long-distance calls.

Today, shoulder surfing usually refers to observing someone’s screen or keystrokes to memorize or record personally identifiable information. In other cases, binoculars, a cell phone video camera, or even a keen ear can be used.

When are you at risk of shoulder surfing?

Shoulder surfers use different tactics to steal information, like watching you enter your PIN at an ATM or eavesdropping on phone conversations.

Here are some examples of what these shoulder surfing scenarios could look like in real life:

• Using an ATM: You withdraw cash at the ATM and rush off. However, the screen still displays, “Would you like to make another transaction?” The attacker, who looked over your shoulder and memorized your PIN, hits “Yes,” and steals your money.
• Filling out forms at work: On the first day of a new job, you fill out onboarding paperwork at your computer, entering all sorts of personal information — your address, Social Security number, and bank account. At noon, you head out for lunch and leave without locking your screen. A lingering coworker sees your sensitive information.
• Completing tasks at a coffee shop: You kick back at a cafe for a cup of coffee and decide to pay your bills. You take a seat at a shared table, open your laptop, and log in to your bank with your username and password while a fellow patron watches on.
• Talking on the phone in public: You’re at the airport, seated in a packed terminal, waiting for your flight. You call to book a last-minute hotel and read your credit card number and CVV aloud. A fraudster listens in, secretly typing your info into their phone to use for purchases.
• Scrolling while on public transportation: You’re on a crowded bus or train checking your emails. You open one about a delivery that has your name and address on it. Now the person behind you knows who you are and where you live.

Signs you’ve been a victim of shoulder surfing

If a shoulder surfer targets you, you may notice suspicious transactions, strange emails, or unusual account activity.

• Unauthorized transactions: Unusual charges on your bank statements that you didn’t make.
• Password reset emails: Random password reset notifications, which may indicate someone is trying to access your account.
• New accounts in your name: Credit cards or other accounts that you didn’t open appearing on your credit report.
• Suspicious login activity: Alerts that your accounts are being accessed from unknown devices or locations.

What are the consequences of shoulder surfing?

Shoulder surfing is a serious threat that can lead to significant financial loss and identity theft. These effects can be long-lasting and difficult to recover from.

Here are some potential consequences to be aware of:

• Credit card fraud: If a shoulder surfer gains access to your credit card details, they could commit credit card fraud, leading to financial losses and potential damage to your credit score.
• Compromised data: Shoulder surfers seek out sensitive information, such as Social Security numbers or login credentials, which can be sold on the dark web for further exploitation.
• Identity theft: With enough of your personal information, a thief can open new credit accounts in your name or engage in other types of identity theft that can take years to recover from.

How to prevent shoulder surfing

Shoulder surfers prowl the borders of your personal space to notice without being noticed, but you can take steps to help prevent becoming a victim.

Consider using the following security measures to stay more private:

• Be aware of your surroundings: Watch for people and recording devices attempting to capture your personal information or financial details.
• Sit with your back to the wall: If you’re entering sensitive data into your computer or cellphone in a public place, position yourself so no one can look over your shoulder and easily see your screen.
• Attach a screen protector: Use a privacy screen protector on your devices to reduce visibility from side angles so only you can see what’s displayed.
• Shield the keypad: When you enter your PIN at an ATM or other terminal, use your hand to cover the keypad to prevent other people or cameras from seeing your code.
• Complete your transaction: Ensure your ATM transaction is fully completed, and take your receipt before stepping away.
• Don’t share info over the phone: Avoid discussing sensitive personal or financial details over the phone in public places where others might overhear.
• Lock your screen: If you’re outside of your home, always lock your computer or phone before stepping away to keep your information secure.
• Pick complex passwords: Use strong passwords with a minimum of 15 characters to make it harder for shoulder surfers to memorize what you’ve typed and keep your accounts more secure.
• Opt for biometric security: Where possible, use fingerprint or facial recognition to avoid the need to type sensitive passwords in public altogether.

What to do if you fall victim to shoulder surfing

If you realize you’ve been a target and a shoulder surfer might have stolen your personal information, you should take steps to protect your sensitive information and identity.

• Warn your bank: Let your bank know that someone may have access to your accounts so you can freeze any hacked payment cards. Some banks may even reimburse stolen funds.
• Enable two-factor authentication (2FA): Add 2FA to any compromised accounts, making it challenging for thieves to access your accounts.
• Protect your credit: Set up a fraud alert or credit freeze to help prevent fraudsters from opening new lines of credit in your name.
• Identity theft protection: Consider identity theft protection services to receive alerts if your personal information is compromised and get assistance if you need to recover your identity.

Protect yourself from shoulder surfing attacks

Just as real surfers are always searching for the perfect wave, fraudsters are constantly looking for ways to steal personal data. Let LifeLock Standard act as your lifeboat, helping to protect your personal information online and providing assistance if you need to restore your identity.

LifeLock Standard offers up to $25,000 in Stolen Funds Reimbursement* if your money is stolen due to identity theft. And, our U.S.-based Personal Restoration Specialists are on standby to help you restore your identity if the worst happens — so you can get your life back on track.

FAQs

Is shoulder surfing illegal?

Watching someone enter their information isn’t necessarily illegal, but using those details for fraud, identity theft, or unauthorized access is a crime.

Can shoulder surfing lead to identity theft?

Yes, shoulder surfing is one of the ways identity theft can happen. Attackers can use your stolen sensitive information to open new credit accounts, impersonate you, or access your online accounts — usually for financial gain.

How common is shoulder surfing?

An NYU study found that 73% of respondents had seen someone else’s confidential PIN. While not all these shoulder surfing instances were malicious or even intentional, the ease of carrying out this attack makes it a common threat to be aware of when in public spaces.