All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
- All About Cookies makes money when you click the links on our site to some of the products and offers that we mention. These partnerships do not influence our opinions or recommendations. Read more about how we make money.
- Partners are not able to review or request changes to our content except for compliance reasons.
- We aim to make sure everything on our site is up-to-date and accurate as of the publishing date, but we cannot guarantee we haven't missed something. It's your responsibility to double-check all information before making any decision. If you spot something that looks wrong, please let us know.
You’re on a plane or a train, traveling for work. You’ve got your laptop open because you need to complete your project before you have a meeting. As you reach for your water, you notice that the person next to you quickly averts their eyes. They were glancing at your screen and saw what you were working on. While this might just be normal human nosiness, it could be someone engaging in a shoulder surfing attack.
Shoulder surfing is when someone can view your personally identifiable information (PII) because the device screen is visible in a public area. By understanding what shoulder surfing is, how it happens, and the consequences, you can learn how to protect your identity and stay safe online.
Examples of shoulder surfing
Risks shoulder surfing attacks pose
How to prevent shoulder surfing attacks
FAQs
Bottom line
What is shoulder surfing?
Shoulder surfing happens when a person is physically close enough to you to observe your actions and access your personally identifiable information (PII). Typically, shoulder surfing occurs in public locations where someone can snoop on you while you are:
- Typing your personal identification number (PIN) into an ATM or PoS machine at a checkout counter
- Entering a password on a device screen
- Having a conversation and exchanging your PII, like with a healthcare provider
Since shoulder surfing attacks involve your confidential data, victims often deal with issues like:
- Identify theft
- Credit card theft
- Credential theft
- Financial fraud
Recent research from SECUSO found that shoulder surfers are often:
- Strangers in public places, like on public transportation
- Friends or colleagues who are attending a social gathering with you
- Family when in private environments [1]
The research also explained that shoulder surfers may try to steal information by observing:
- Photos
- Messages
- Emails
- Video calls
- Games
- Social media content [1]
To prevent shoulder surfers from stealing your information, you need to protect your privacy when you access the internet, especially in public places.
Types of shoulder surfing
There are three types of shoulder surfing attacks:
- Direct observation: Standing within physical proximity to you and/or your electronic device to view what you’re doing
- Eavesdropping: Overhearing a conversation in a public location
- Recording: Using a recording device to take pictures, videos, audio of your activities
- File an identity theft report with the Federal Trade Commission (FTC) at identitytheft.gov.
- File a police report for identity theft.
- Notify your bank to monitor your accounts and look for suspicious account activity.
- Request any of the major credit bureaus to freeze your credit to prevent malicious actors from opening new accounts in your name.
Examples of shoulder surfing
Fraudsters use shoulder surfing to steal sensitive information when their victims are in public places. Some examples of shoulder surfing include:
- Reading login credentials when a victim enters them on a public computer, like in a library or hotel business center
- Watching a victim enter credit card numbers when using a public Wi-Fi network to make a purchase
- Peeking at a victim’s mobile phone screen when they access sensitive information, like inputting data into a spreadsheet from a tablet
- Seeing a device left unlocked and unattended in a public place, like while getting napkins in a coffee shop
- Overhearing someone talk to their doctor during an intake call where they provide information like birthdate or insurance data
- Using a smartphone camera to take a video of someone inputting a password
Risks shoulder surfing attacks pose
While family, friends, and colleagues may merely be nosy, strangers engaging in shoulder surfing can pose significant risks:
Unauthorized transactions
Attackers can steal credit card details, enabling them to make unauthorized transactions through your bank account. Victims must either pay for these purchases or spend time disputing the charges.
Compromised credentials
Malicious actors can obtain your login credentials and compromise your account security. They can then change your passwords or security questions to prevent you from taking back your account.
According to recent research, PINs are highly vulnerable to compromise, likely because observers can follow users’ fingers and then use their mental model of the keypad to decode the number without having to observe it fully.
Emotional distress
Often, victims feel embarrassed or ashamed because shoulder surfing has compromised their personal information. They may also feel stressed that they have to get their data and control back.
Identity theft
Using stolen information, malicious actors can impersonate a victim to gain access to personal accounts or create fraudulent accounts. Ultimately, the victim can experience financial losses or damage to their credit score.
Best-in-class identity theft services
Service | |||
Price | Starts at $9.00/mo (billed annually) | Starts at $7.50/mo (billed annually) for first year | Starts at $8.99/mo |
# of people covered | 1 - 5 adults, unlimited children | 1 - 2 adults, up 5 children | 1 - 5 adults, unlimited children |
Types of identity monitoring | Identity and SSN, account breach, home and auto title, criminal and court records | Identity and SSN, dark web, phone takeover, home title, social media | Dark web, high-risk, bank account, social media, credit and debit card |
ID theft insurance | Up to $1 million | Up to $1.05 million through $3 million, depending on plan | Up to $1 million |
Credit monitoring | |||
Identity restoration services | |||
Details | Get Aura | Get LifeLock | Get Identity Guard |
How to prevent shoulder surfing attacks
To help protect yourself and your data, you can take precautionary steps to prevent shoulder surfing attacks from being successful:
Be vigilant
Staying aware of your surroundings can help you detect someone trying to observe you. Before entering any sensitive data on a device, look around to make sure no one is watching you. If you’re in a crowded space, shield your device or keyboard with your body.
Use privacy screens or protectors
Covers for your screens can help stop people from seeing what you’re doing. A privacy screen filters light to make viewing your screen from a different angle difficult. Meanwhile, a protector makes viewing your screen from a distance difficult. A privacy screen protector with four-way filters works best for portrait and landscape modes.
Use a VPN
When you use public Wi-Fi, a virtual private network (VPN) can protect your sensitive information by encrypting it as it travels across the internet. While shoulder surfing typically focuses on physical observation rather than digital compromise, this added cybersecurity step helps you cover all your privacy bases.
Be careful on shared devices
If you’re using a public or shared device, enter personal data carefully. For example, if you use a computer in a hotel business center or library, you should clear your browsing history and log out of all your accounts before stepping away from the device.
Lock your device
Set your device to start your screensaver after a certain amount of time, or set it to lock when inactive. This prevents people from accessing or viewing your device if it's unattended.
Use two-factor authentication (2FA)
With two-factor authentication, you combine two of the following:
- Something you know (password or PIN)
- Something you have (mobile device or token)
- Something you are (biometric authentication like fingerprint or facial recognition)
If someone steals your login credentials, the 2FA forces a challenge question. This will notify you if someone is attempting to gain unauthorized access to an account.
Create a long, unique password
A strong password can make it difficult for shoulder surfers who are trying to guess your password by observing your activity. When creating passwords, you should include:
- At least 8 to 12 characters (or longer!)
- A mix of numbers, letters, and special characters
- Spaces between words
- A mix of uppercase and lowercase letters
Use a password manager
If you use a password manager, you won’t have to type credentials into your device. The password manager will autofill the information for you, so shoulder surfers won’t have anything to observe.
FAQs
What is an example of a shoulder surfing attack?
A typical example of shoulder surfing is when someone sneaks a peek at your device while you’re in a public place, like riding on public transportation or sitting in a crowded coffee shop.
What is the difference between shoulder surfing and phishing?
Both shoulder surfing and phishing are types of social engineering attacks. However, shoulder surfing relies on malicious actors being in close physical proximity to the victim.
Meanwhile, phishing is a digital attack where the malicious actor convinces the victim to share sensitive information by sending an email, text message, or instant message on a social media platform. Although both attacks can lead to identity theft and financial loss, phishing attacks are more prevalent and affect more people at once.
What is the best way to protect yourself from shoulder surfing?
To protect yourself from shoulder surfing, consider these cybersecurity best practices:
- Invest in identity theft protection
- Stay aware of your surroundings
- Use a privacy screen protector
- Use a VPN
- Be careful on shared and public devices
- Lock your device when inactive
- Use two-factor authentication (2FA)
- Create a long, unique password
- Use a password manager
Bottom line
Shoulder surfing shouldn’t make you overanxious about using your device in public. Modern life is a hybrid physical and digital experience. The key to protecting yourself and your data is knowing what to look for and maintaining a healthy level of awareness. You wouldn’t walk alone on a dark, deserted street at night, and you shouldn’t leave your devices open to anyone walking past you in a crowded, public location.
The best way to protect yourself from physical data theft is to be proactively covered by identity theft services. Additionally, you need to make sure that you protect your data from any digital “prying eyes,” like hackers trying to steal data while you’re on public Wi-Fi. Opt for a cybersecurity bundle that offers ID theft protection, a password manager, and a secure VPN.
[1] Shoulder Surfing through the Social Lens: A Longitudinal Investigation & Insights from an Exploratory Diary Study