What Is Shoulder Surfing? (And Tips for Protecting Against Shoulder Surfing Attacks)

To protect yourself from a shoulder surfing attack, you should know what it is, the damage it can cause, and how to prevent it.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

You’re on a plane or a train, traveling for work. You’ve got your laptop open because you need to complete your project before you have a meeting. As you reach for your water, you notice that the person next to you quickly averts their eyes. They were glancing at your screen and saw what you were working on. While this might just be normal human nosiness, it could be someone engaging in a shoulder surfing attack.

Shoulder surfing is when someone can view your personally identifiable information (PII) because the device screen is visible in a public area. By understanding what shoulder surfing is, how it happens, and the consequences, you can learn how to protect your identity and stay safe online. 

4.9
Editorial Rating
Learn More
On Aura Identity Theft's website
Identity Protection
Aura Identity Theft
Best Sale of the Year: Up to 78% Off
  • #1 rated ID theft protection service with a full suite of monitoring tools
  • Includes up to $1 million in ID theft insurance for up to five adults
  • Protect your children with robust parental controls and gaming alerts

In this article
What is shoulder surfing?
Examples of shoulder surfing
Risks shoulder surfing attacks pose
How to prevent shoulder surfing attacks
FAQs
Bottom line

What is shoulder surfing?

Shoulder surfing happens when a person is physically close enough to you to observe your actions and access your personally identifiable information (PII). Typically, shoulder surfing occurs in public locations where someone can snoop on you while you are:

  • Typing your personal identification number (PIN) into an ATM or PoS machine at a checkout counter
  • Entering a password on a device screen
  • Having a conversation and exchanging your PII, like with a healthcare provider

Since shoulder surfing attacks involve your confidential data, victims often deal with issues like:

  • Identify theft
  • Credit card theft
  • Credential theft
  • Financial fraud

Recent research from SECUSO found that shoulder surfers are often:

  • Strangers in public places, like on public transportation
  • Friends or colleagues who are attending a social gathering with you
  • Family when in private environments [1]

The research also explained that shoulder surfers may try to steal information by observing:

  • Photos
  • Messages
  • Emails
  • Video calls
  • Games
  • Social media content [1]

To prevent shoulder surfers from stealing your information, you need to protect your privacy when you access the internet, especially in public places.

Types of shoulder surfing

There are three types of shoulder surfing attacks:

  • Direct observation: Standing within physical proximity to you and/or your electronic device to view what you’re doing
  • Eavesdropping: Overhearing a conversation in a public location
  • Recording: Using a recording device to take pictures, videos, audio of your activities

The good news is you can take action if you’ve experienced a shoulder surfing attack. Here are some key steps to take:
  • File an identity theft report with the Federal Trade Commission (FTC) at identitytheft.gov.
  • File a police report for identity theft.
  • Notify your bank to monitor your accounts and look for suspicious account activity.
  • Request any of the major credit bureaus to freeze your credit to prevent malicious actors from opening new accounts in your name.

Examples of shoulder surfing

Fraudsters use shoulder surfing to steal sensitive information when their victims are in public places. Some examples of shoulder surfing include:

  • Reading login credentials when a victim enters them on a public computer, like in a library or hotel business center
  • Watching a victim enter credit card numbers when using a public Wi-Fi network to make a purchase
  • Peeking at a victim’s mobile phone screen when they access sensitive information, like inputting data into a spreadsheet from a tablet
  • Seeing a device left unlocked and unattended in a public place, like while getting napkins in a coffee shop
  • Overhearing someone talk to their doctor during an intake call where they provide information like birthdate or insurance data
  • Using a smartphone camera to take a video of someone inputting a password

Risks shoulder surfing attacks pose

While family, friends, and colleagues may merely be nosy, strangers engaging in shoulder surfing can pose significant risks:

Unauthorized transactions

Attackers can steal credit card details, enabling them to make unauthorized transactions through your bank account. Victims must either pay for these purchases or spend time disputing the charges.

Compromised credentials

Malicious actors can obtain your login credentials and compromise your account security. They can then change your passwords or security questions to prevent you from taking back your account.

According to recent research, PINs are highly vulnerable to compromise, likely because observers can follow users’ fingers and then use their mental model of the keypad to decode the number without having to observe it fully.

Emotional distress

Often, victims feel embarrassed or ashamed because shoulder surfing has compromised their personal information. They may also feel stressed that they have to get their data and control back.

Identity theft

Using stolen information, malicious actors can impersonate a victim to gain access to personal accounts or create fraudulent accounts. Ultimately, the victim can experience financial losses or damage to their credit score.

Best-in-class identity theft services

Service
Price Starts at $9.00/mo (billed annually) Starts at $7.50/mo (billed annually) for first year Starts at $8.99/mo
# of people covered 1 - 5 adults, unlimited children 1 - 2 adults, up 5 children 1 - 5 adults, unlimited children
Types of identity monitoring Identity and SSN, account breach, home and auto title, criminal and court records Identity and SSN, dark web, phone takeover, home title, social media Dark web, high-risk, bank account, social media, credit and debit card
ID theft insurance Up to $1 million Up to $1.05 million through $3 million, depending on plan Up to $1 million
Credit monitoring
Identity restoration services
Details Get Aura Get LifeLock Get Identity Guard

How to prevent shoulder surfing attacks

To help protect yourself and your data, you can take precautionary steps to prevent shoulder surfing attacks from being successful:

Be vigilant

Staying aware of your surroundings can help you detect someone trying to observe you. Before entering any sensitive data on a device, look around to make sure no one is watching you. If you’re in a crowded space, shield your device or keyboard with your body.

Use privacy screens or protectors

Covers for your screens can help stop people from seeing what you’re doing. A privacy screen filters light to make viewing your screen from a different angle difficult. Meanwhile, a protector makes viewing your screen from a distance difficult. A privacy screen protector with four-way filters works best for portrait and landscape modes.

Use a VPN

When you use public Wi-Fi, a virtual private network (VPN) can protect your sensitive information by encrypting it as it travels across the internet. While shoulder surfing typically focuses on physical observation rather than digital compromise, this added cybersecurity step helps you cover all your privacy bases.

Be careful on shared devices

If you’re using a public or shared device, enter personal data carefully. For example, if you use a computer in a hotel business center or library, you should clear your browsing history and log out of all your accounts before stepping away from the device.

Lock your device

Set your device to start your screensaver after a certain amount of time, or set it to lock when inactive. This prevents people from accessing or viewing your device if it's unattended.

Use two-factor authentication (2FA)

With two-factor authentication, you combine two of the following:

  • Something you know (password or PIN)
  • Something you have (mobile device or token)
  • Something you are (biometric authentication like fingerprint or facial recognition)

If someone steals your login credentials, the 2FA forces a challenge question. This will notify you if someone is attempting to gain unauthorized access to an account.

Create a long, unique password

A strong password can make it difficult for shoulder surfers who are trying to guess your password by observing your activity. When creating passwords, you should include:

  • At least 8 to 12 characters (or longer!)
  • A mix of numbers, letters, and special characters
  • Spaces between words
  • A mix of uppercase and lowercase letters

Use a password manager

If you use a password manager, you won’t have to type credentials into your device. The password manager will autofill the information for you, so shoulder surfers won’t have anything to observe.

FAQs


+

What is an example of a shoulder surfing attack?

A typical example of shoulder surfing is when someone sneaks a peek at your device while you’re in a public place, like riding on public transportation or sitting in a crowded coffee shop.


+

What is the difference between shoulder surfing and phishing?

Both shoulder surfing and phishing are types of social engineering attacks. However, shoulder surfing relies on malicious actors being in close physical proximity to the victim.

Meanwhile, phishing is a digital attack where the malicious actor convinces the victim to share sensitive information by sending an email, text message, or instant message on a social media platform. Although both attacks can lead to identity theft and financial loss, phishing attacks are more prevalent and affect more people at once.


+

What is the best way to protect yourself from shoulder surfing?

To protect yourself from shoulder surfing, consider these cybersecurity best practices:

  • Invest in identity theft protection
  • Stay aware of your surroundings
  • Use a privacy screen protector
  • Use a VPN
  • Be careful on shared and public devices
  • Lock your device when inactive
  • Use two-factor authentication (2FA)
  • Create a long, unique password
  • Use a password manager

Bottom line

Shoulder surfing shouldn’t make you overanxious about using your device in public. Modern life is a hybrid physical and digital experience. The key to protecting yourself and your data is knowing what to look for and maintaining a healthy level of awareness. You wouldn’t walk alone on a dark, deserted street at night, and you shouldn’t leave your devices open to anyone walking past you in a crowded, public location.

The best way to protect yourself from physical data theft is to be proactively covered by identity theft services. Additionally, you need to make sure that you protect your data from any digital “prying eyes,” like hackers trying to steal data while you’re on public Wi-Fi. Opt for a cybersecurity bundle that offers ID theft protection, a password manager, and a secure VPN. 

4.9
Editorial Rating
Learn More
On Aura Identity Theft's website
Identity Protection
Aura Identity Theft
Best Sale of the Year: Up to 78% Off
  • #1 rated ID theft protection service with a full suite of monitoring tools
  • Includes up to $1 million in ID theft insurance for up to five adults
  • Protect your children with robust parental controls and gaming alerts

Author Details
Karen Walsh is a lawyer and former-internal-auditor-turned-subject-matter-expert in cybersecurity and privacy compliance. Karen has been published by leading industry outlets and quoted by The New York Times and CNN Investigative reporters.

Citations

[1] Shoulder Surfing through the Social Lens: A Longitudinal  Investigation & Insights from an Exploratory Diary Study