What is shoulder surfing, and how it works

Shoulder surfing refers to criminals looking at people’s screens to obtain personal information. It is a visual hacking technique, meaning no tools are usually necessary. The criminals look at your screen while entering your PIN or providing other sensitive information. Then, they can abuse this information for account takeover or identity theft.

Thus, it is crucial to pay attention to your surroundings and notice whether someone keeps looking at you. Learn how you can stay safe from shoulder surfing. 

What shoulder surfing is 

Shoulder surfing means criminals look at your device screen and keypad to obtain personal data. 

It could be a way to capture names, addresses, social security numbers, PINs, usernames, and passwords. They could also learn information provided via chats on instant messaging apps or email. 

Shoulder surfing usually happens in crowded public places. Criminals sit or stand nearby to see the information you enter physically.

Examples of shoulder surfing attacks

Shoulder surfing in cybersecurity is likely one of the most common ways for someone to steal sensitive data. Here are some examples of how this visual snooping can occur: 

• An attacker observes mobile devices to gather PINs, credentials, or credit card numbers. 
• A suspicious person stands too close as you type in your ATM PIN. Over the years, ATM hacks have become more frequent. However, a simple shoulder surfing also poses a risk.
• People in public transportation might glance at your screen as you use your smartphone.
• Shoulder surfers can also see the security measures like two-factor authentication or security questions you use. 

So, shoulder surfing reveals your information and how you have protected your mobile phones or accounts. 

Shoulder surfing and phone number spoofing example 

Shoulder surfing can lead to other social engineering attacks. For instance, attackers could obtain your phone number and notice which bank provider you use. 

They can spoof the phone number of your bank and contact you. They might claim issues with your account to steal more data or convince you to click on malicious links.

How shoulder surfing happens 

Shoulder surfers can be near their targets and see what they do on their phones or other electronic devices. However, shoulder surfing could use more advanced tools like binoculars or secret video cameras. 

Thus, criminals could capture personal identification numbers, PINs, and other data remotely. 

Effects of shoulder surfing 

The aftermath of shoulder surfing differs depending on the information attackers have managed to steal. However, here are some of the common ways visual hackers can exploit your data: 

• Thieves capture smartphone PINs and look for an opportunity to snatch phones. 
• Attackers commit identity theft based on stolen data like names, addresses, social security numbers, etc. 
• Criminals use usernames and passwords to take over accounts, especially those without 2FA. 
• Thieves abuse your bank information to commit financial fraud. 

Is shoulder surfing illegal? 

Shoulder surfing is a criminal activity with the intention to steal users’ private data and exploit it. 

Victims might report various issues after an attacker learns their credentials. For instance, they could deal with synthetic identity theft or find out that they are locked out of their accounts. 

How to prevent shoulder surfing 

Shoulder surfing might seem like an innocent act, but it can make victims lose money and data. Luckily, users can effectively protect themselves from shoulder surfing with a few simple recommendations.

1. Use a privacy screen protector 

A privacy screen protector is a filter that prevents snoopers from seeing your screen from the sides. Thus, if somebody glances at your device, they will only see a dark screen. Privacy screen protectors are available for laptops, smartphones, and tablets. 

2. Avoid public Wi-Fi networks

Shoulder surfing likely happens in public spaces when users turn to free Wi-Fi. However, remember that it is best to avoid accessing sensitive information and accounts on public Wi-Fi. 

Of course, you can enable a VPN (Virtual Private Network) to protect your activities. Remember that people in the area could see the information you enter. 

3. Apply 2FA on accounts 

Shoulder surfing could allow perpetrators to capture usernames and passwords. However, if you protect your accounts with 2FA, they won’t be able to access them.

4. Use fingerprint or facial recognition

Smartphone PINs have been helpful for years. But currently, it might be better to use biometric authentication. Shoulder surfers cannot easily replicate such attributes to access mobile phones. 

5. Be wary of your surroundings

The general rule is that you should look for signs that someone nearby is trying to view your screen. Moving to a more private location is best to see anything sensitive and personal. Cover your screen and keypad to protect yourself from shoulder surfing in crowded places. 

The general rule is that you should wait to be in a secure place to deal with personal affairs.

6. Enable fraud detection

Protect your bank accounts by setting up fraud alerts. It can help you learn about a potential breach as soon as possible. Furthermore, you can consider using identity theft protection services to guard your data.