How to Protect Yourself From a Shoulder Surfing Attack

You’re on a plane or a train, traveling for work. You’ve got your laptop open because you need to complete your project before you have a meeting. As you reach for your water, you notice that the person next to you quickly averts their eyes. They were glancing at your screen and saw what you were working on. While this might just be normal human nosiness, it could be someone engaging in a shoulder surfing attack.

Shoulder surfing is when someone can view your personally identifiable information (PII) because the device screen is visible in a public area. By understanding what shoulder surfing is, how it happens, and what the consequences are, you can learn how to protect yourself and stay safe online.

What is shoulder surfing?

Shoulder surfing happens when a person is physically close enough to you to observe your actions and access your PII. Typically, shoulder surfing occurs in public locations where someone can snoop on you while you are:

• Typing your personal identification number (PIN) into an ATM or PoS machine at a checkout counter
• Entering a password on a device screen
• Having a conversation and exchanging your PII, like with a healthcare provider

Since shoulder surfing attacks involve your confidential data, victims often deal with issues like:

• Identify theft
• Credit card theft
• Credential theft
• Financial fraud

Recent research from SECUSO found that shoulder surfers are often:

• Strangers in public places, like on public transportation
• Friends or colleagues who are attending a social gathering with you
• Family when in private environments [1]

The research also explained that shoulder surfers may try to steal information by observing:

• Photos
• Messages
• Emails
• Video calls
• Games
• Social media content [1]

To prevent shoulder surfers from stealing your information, you need to protect your privacy when you access the internet, especially in public places.

Types of shoulder surfing

There are three types of shoulder surfing attacks:

• Direct observation: Standing within physical proximity to you and/or your electronic device to view what you’re doing
• Eavesdropping: Overhearing a conversation in a public location
• Recording: Using a recording device to take pictures, videos, audio of your activities

Examples of shoulder surfing

Fraudsters use shoulder surfing to steal sensitive information when their victims are in public places. Some examples of shoulder surfing include:

• Reading login credentials when a victim enters them on a public computer, like in a library or hotel business center
• Watching a victim enter credit card numbers when using a public Wi-Fi network to make a purchase
• Peeking at a victim’s mobile phone screen when they access sensitive information, like inputting data into a spreadsheet from a tablet
• Seeing a device left unlocked and unattended in a public place, like while getting napkins in a coffee shop
• Overhearing someone talk to their doctor during an intake call where they provide information like birthdate or insurance data
• Using a smartphone camera to take a video of someone inputting a password

What are the consequences of shoulder surfing?

While family, friends, and colleagues may merely be nosy, strangers engaging in shoulder surfing can pose significant risks:

Identity theft

Using stolen information, malicious actors can impersonate a victim to gain access to personal accounts or create fraudulent accounts. Ultimately, the victim can experience financial losses or damage to their credit score.

Unauthorized transactions

Attackers can steal credit card details, enabling them to make unauthorized transactions through your bank account. Victims must either pay for these purchases or spend time disputing the charges.

Compromised credentials

Malicious actors can obtain your login credentials and compromise your account security. They can then change your passwords or security questions to prevent you from taking back your account.

According to recent research, PINs are highly vulnerable to compromise, likely because observers can follow users’ fingers and then use their mental model of the keypad to decode the number without having to observe it fully.

Emotional distress

Often, victims feel embarrassed or ashamed because shoulder surfing has compromised their personal information. They may also feel stressed that they have to do the work of getting their data and control back.

What to do if you experience a shoulder surfing attack?

The good news is you can take action if you’ve experienced a shoulder surfing attack.

Here are some key steps to take:

• File an identity theft report with the Federal Trade Commission (FTC) at identitytheft.gov.
• File a police report for identity theft.
• Notify your bank to monitor your accounts and look for suspicious account activity.
• Request any of the major credit bureaus to freeze your credit to prevent malicious actors from opening new accounts in your name

How to prevent shoulder surfing attacks

To help protect yourself and your data, you can take precautionary steps to prevent shoulder surfing attacks from being successful:

Be vigilant

Staying aware of your surroundings can help you detect someone trying to observe you. Before entering any sensitive data on a device, look around to make sure no one is watching you. If you’re in a crowded space, shield your device or keyboard with your body.

Use privacy screens or protectors

Covers for your screens can help stop people from seeing what you’re doing. A privacy screen filters light to make viewing your screen from a different angle difficult. Meanwhile, a protector makes viewing your screen from a distance difficult. A privacy screen protector with four-way filters works best for portrait and landscape modes.

Use a VPN

When you’re using public Wi-Fi, a virtual private network (VPN) can protect your sensitive information by encrypting information traveling across the internet. While shoulder surfing typically focuses on physical observation rather than digital compromise, this added cybersecurity step helps you cover all your privacy bases.

Be careful on shared devices

If you’re using a public or shared device, be careful about entering personal data. For example, if you use a computer in a hotel business center or library, you should clear your browsing history and log out of all your accounts before stepping away from the device.

Lock your device

Set your device to start your screensaver after a certain amount of time, or set it to lock when inactive. This prevents people from accessing or viewing your device if it's unattended.

Use two-factor authentication (2FA)

With two-factor authentication, you combine two of the following:

• Something you know (password or PIN)
• Something you have (mobile device or token)
• Something you are (biometric authentication like fingerprint or facial recognition)

If someone steals your login credentials, the 2FA forces a challenge question. This will notify you if someone is attempting to gain unauthorized access to an account.

Create a long, unique password

A strong password can make it difficult for shoulder surfers who are trying to guess your password by observing your activity. When creating passwords, you should include:

• At least 8 to 12 characters (or longer!)
• A mix of numbers, letters, and special characters
• Spaces between words
• A mix of uppercase and lowercase letters

Use a password manager

If you use a password manager, you won’t have to type credentials into your device. The password manager will autofill the information for you, so shoulder surfers won’t have anything to observe. We recommend NordPass for its autofill feature, but you can read more about our top password managers.

Shoulder surfing FAQs

Bottom line

Shoulder surfing, like any type of attack, shouldn’t make you overanxious about using your device in public. Modern life is a hybrid physical and digital experience. The key to protecting yourself and your data is knowing what to look for and maintaining a healthy level of awareness. You wouldn’t walk alone on a dark, deserted street at night, and you shouldn’t leave your devices open to anyone walking past you in a crowded, public location.

Additionally, you need to make sure that you protect your data from any digital “prying eyes,” like hackers trying to steal data while you’re on public Wi-Fi. To keep your data safe, you can check out this guide to the best VPNs to create a complete physical and digital data protection plan.

Customizable Coverage That is Simple to Use

4.9

AllAboutCookies writers and editors score products based on a number of objective features as well as our expert editorial assessment. Our partners do not influence how we rate products.

Editorial Rating

Learn More

On NordVPN's website

VPN

NordVPN

Up to 66% off 2-year plans + 3 months extra

• Ultra-secure, high-speed VPN complete with malware protection and automatic blocking of intrusive ads and third-party trackers
• Other benefits include a premium password manager, dark web monitoring, and access to IP-restricted content
• 3 plans to choose from for custom protection on up to 10 devices
• Too many confusing plans

Author Details

Karen Walsh

About the Author

Karen Walsh is a lawyer and former-internal-auditor-turned-subject-matter-expert in cybersecurity and privacy compliance. Karen has been published by leading industry outlets and quoted by The New York Times and CNN Investigative reporters.