What Is Shoulder Surfing? How It Happens & How to Avoid It

Is Someone Watching You Enter Your PIN in Public?

Shoulder surfing happens when a stranger can furtively view your device screen and keypad to obtain personal information. It is one of the few attack methods that requires the attacker to be in close proximity to you.

Such prying eyes look for any valuable personal data such your credit card numbers, PINs, or passwords. Do you pay attention to your surroundings while accessing private information? Are you using text-based passwords over biometrics on your devices?

In this guide, learn how modern shoulder surfers steal your information and how you can protect yourself from becoming a sitting target.

{{show-toc}}

What Is Shoulder Surfing?

Social engineering attacks such as shoulder surfing involve observing you use your mobile phone, laptop or credit card in order to steal your sensitive personal information.

Attacks are fairly common and tend to happen in public. Thieves eavesdrop and wait for you to let down your guard, like when you’re rushed or unaware of your surroundings.

Here’s an example of how shoulder surfing may work at an ATM:

• As you enter your ATM pin number, you notice a nearby shopper talking loudly on their phone.
• You think nothing of their presence, but they’re watching you tap in your PIN.
• When you’re done, they my raise their voice on the phone to send you on your way before the transaction is entirely over.
• As you walk away, they go to the ATM that’s asking “Would you like to make another transaction?” They hit yes, enter your PIN, and steal your money.
• Once a scammer collects your information, they can use it for identity theft, financial fraud, or even sell it on the Dark Web.

There were 3.7 million total reports of fraud in 2022 [*]. And these fraud reports don’t just include online fraud attempts. That’s why it’s important to be cautious while you handle private information in public.

Where Do Shoulder Surfing Attacks Happen?

Shoulder surfing began in the early 1980s when scammers would snoop as people entered calling card numbers into public pay phones. They would then either use the numbers themselves to make long-distance calls or sell them for a cheaper price.

Today, scammers still use the method of looking over their victim’s shoulder to capture their confidential data. But they’ve also evolved their scams to take advantage of new technologies and the vulnerabilities of our devices. Here are the most common examples of shoulder surfing to beware of.

In crowded environments

Shoulder surfers hang out in crowded spaces where they can blend in and steal information without being detected. 

For example, let’s say you’re out with friends at a bar or restaurant and need to transfer money into your account to pay the bill. A shoulder surfer nearby can watch you enter your banking information into your mobile banking app and use it later to empty your account or commit financial fraud.

When you’re using an ATM

Have you ever wondered if the person standing next to you saw your PIN as you typed it into the keypad? Shoulder surfers regularly target ATMs in public places like outside of a gas station. 

But they’re not waiting around to try and spy your PIN. Instead, they’ll employ a number of different frauds, such as:

• “Skimmers” or “shimmers”: These small devices attach on top of an ATM or go inside the card reader itself and steal your account information when you use them. 
• Video cameras and recording devices: Some shoulder surfers will place tiny cameras around ATMs for direct observation of your PIN keystrokes and card details. 
• Binoculars and high-powered listening devices: Other scammers might stay in their car across the parking lot and use binoculars and listening devices to steal your information.

On public transportation 

Few people think twice about using their phones on public transportation. But this is a perfect situation for shoulder surfers to attack.  

Whenever you log into one of your phone's apps or enter your passcode, a shoulder surfer can make note of that information. Later, they might steal your phone or wallet and gain access to your sensitive information. 

Your phone is often a golden ticket to your most sensitive information. When my phone was stolen on a holiday, scammers got access to my bank accounts, cryptocurrency wallets, and email. They were even able to change my passwords and lock me out of my own accounts.

While using public Wi-Fi

If you’ve ever logged into accounts on the Wi-Fi at your local coffee shop, you’ve put your sensitive information at risk. 

Cybercriminals use unsecured public Wi-Fi networks to commit man-in-the-middle attacks (MITM). These are a form of shoulder surfing where they intercept your connection to steal sensitive data.

The worst part is, you won’t even know it’s happening to you. As you browse Instagram, Snapchat, or other social media, shop, or log-in to work apps, the criminal captures all of your details from afar. 

When you’re on the phone in public

Sometimes shoulder surfers aren’t eavesdropping on what you type but what you say. 

Let’s say you’re talking to your child on your cellphone and they ask for your credit card details to make a purchase online. Without thinking twice, you read them aloud for anyone to hear. 

During the first days of a new job

Nowhere is entirely safe from scammers or shoulder surfers. Just think about all the information you’re required to give up when you start a new job — Social Security number, address, phone number, banking details for benefits. 

Your new coworkers could come over for a chat and catch a glimpse of your most sensitive information. 

What Are the Consequences of Shoulder Surfing?

In each of the examples of shoulder surfing listed above, scammers got access to your personally identifiable information (PII). This includes your name, address, phone number, Social Security number, banking information, phone and credit card PIN, and account passwords. 

With this information, scammers can wipe you out financially, take out loans in your name, or commit bank fraud. They can also gain access to sensitive information or photos you don’t want shared or steal your medical benefits (i.e., medical identity theft). They could even sell your identity on the Dark Web.

The worst thing about shoulder surfing attacks is that many go undetected until it’s too late. 

If you don’t regularly monitor your credit reports or get fraud alerts, you’ll only find out that someone has stolen your identity when you get a strange bill in the mail, find out your account is empty, or don’t qualify for a home or car loan. 

Unfortunately, recovering from identity theft can take weeks, months, or even years.

10 Ways To Protect Yourself from Shoulder Surfing Attacks

1. Physically block would-be scammers
2. Use a secure password manager
3. Don’t use public Wi-Fi networks
4. Add a privacy screen protector to your devices
5. Enable 2FA — but not SMS
6. Be wary of using public computers
7. Use biometrics for logins
8. Set up fraud alerts
9. Share sensitive information in private
10. Avoid using ATMs in public places‍

Like most scammers, shoulder surfers rely on your human nature to be trusting. Awareness of your surroundings is the first step in protecting yourself from shoulder surfing attacks. Don’t be caught off-guard when using your mobile device, tablet, or laptop in public.

1. Physically block out would-be scammers

Surfers can’t steal what they can’t see. Put your body between your sensitive information and anyone’s direct line of sight. For example, shield the keys on a PIN pad when entering your code or stand against a wall and hold your phone up to your body when entering passwords.

2. Use strong passwords and a secure password manager

It’s harder to catch and remember a password that’s long, complicated, and full of different characters. 

Avoid using common or easy passwords and don’t fall into the trap of reusing old ones. According to a study from Harris Poll and Google, 66% of Americans reuse the same passwords for social media, email, and banking accounts.

But if someone spies your Facebook password and it’s the same as all your other accounts, you just gave them access to everything.

To help you remember different and difficult passwords, use a secure password manager. This tool securely stores all your usernames and passwords and gives you easy access when you need them.  

3. Don’t use public Wi-Fi networks to log into accounts

Man-in-the-middle attacks take advantage of weak public Wi-Fi security to watch you enter your details. If you have to log into an account over public Wi-Fi disconnect and use your phone’s hotspot instead. This will block cyber surfers from seeing your login information.

For additional security, consider a virtual private network (VPN). This will encrypt your network connection so scammers and hackers can’t get access and see what you’re doing.  

4. Add a privacy screen protector to your devices

Many screen protectors make it harder for other people to see what’s on your phone, laptop, and other electronic devices. While a privacy protector won’t stop them from watching your keystrokes, it’ll stop them from seeing what site you’re using or your username. 

5. Enable two-factor authentication (2FA) – but not SMS

Two-factor authentication is a security measure that requires a one-time code — either from an app or text — along with your password to access an account. It adds an extra layer of safety in case someone gets access to your passwords. 

Pro tip: Avoid using SMS for 2FA. A shoulder surfer could see the code on your phone or even steal your device and bypass the security. Instead, use an authenticator app such as Google or Okta.

6. Never input personal data into public computer systems

Public computers in libraries or hotel business centers can be infected with malware designed to steal your info. Never use these to log-in to your sensitive accounts. 

📚 Related: Is Hotel Wi-Fi Safe? How To Secure Your Devices When Traveling →

7. Use biometric authentication like fingerprints or facial recognition

Security measures tied to your fingerprints or facial recognition make it harder for scammers to get access to your accounts. However, there's always still the possibility of fingerprint identity theft. Make sure to combine biometric authentication with a secure password for the best protection.

You can also use technologies like contactless payment so fraudsters don’t have a chance to see your PIN. 

8. Set up fraud alerts to automatically monitor your credit

One of the fastest ways to shut down a successful shoulder surfer is to catch them committing any type of financial fraud. A fraud monitoring system keeps tabs on all your accounts and alerts you of any suspicious activity. 

With Aura' credit monitoring, you don’t have to monitor your credit report yourself for fraudulent activity. We’ll check activity across your SSN, bank, and personal accounts and let you know if anything suspicious is going on. 

9. Find a private place to share sensitive information

If you need to give someone your credit card or other sensitive information over the phone, wait until you’re in a private place. If this isn’t possible, try to call the person back at another time. 

10. Avoid using ATMs in public places

ATMs outside of gas stations or in public places are easier to tamper with or monitor. Avoid these and instead use ones inside a business. It’s less likely that a scammer was able to install a skimmer or shimmer on these. 

Bonus: Consider signing up for identity theft protection

Aura’s top-rated identity theft protection monitors all of your most sensitive personal information, online accounts, and finances for signs of fraud. If a scammer tries to access your accounts or finances, Aura can help you take action before it’s too late. 

Try Aura’s 14-day free trial for immediate protection while you’re most vulnerable →

Did a Shoulder Lurker Steal Your Identity?

Any form of identity theft — including shoulder surfing — can take time, effort, and money to resolve.  

If you know your sensitive information has been compromised, you need to report it to the authorities and take back control of your accounts. 

For identity theft and fraud, you’ll want to:

1. Notify the FTC on www.IdentityTheft.gov.
2. Contact your local law enforcement and file a police report.
3. Get in touch with any financial institutions, businesses, or lenders that have been the target of financial fraud using your information.
4. Contact the three nationwide credit bureaus to alert them of the fraudulent activity. 
5. Freeze your credit so scammers can’t open new accounts in your name.
6. Change your passwords and force unrecognized devices to sign out.
7. Consider signing up for identity theft protection. 

Aura is equipped to handle many of the steps above for you or proactively so your identity will be safe in the first place. With Aura, you can protect your entire family along with a $1,000,000 insurance policy for eligible losses due to identity theft. 

Ready for ironclad identity theft protection? Try Aura free for 14 days.