What is shoulder surfing, and how can you avoid it?

Shoulder surfing is the practice of someone attempting to steal sensitive data by watching over the victim’s shoulder as they’re using a mobile phone, laptop, or another device in public.

Shoulder surfers aim to steal information like credit card details, account passwords, or credit card PINs (personal identification numbers). Using this information, they may try to access your bank account online or use your debit or credit card to make purchases.

The consequences of shoulder surfing can be very serious — from committing identity theft and selling your data on the dark web to emptying the victim’s bank accounts. That’s why taking the necessary steps to prevent these attacks is so important.

How does shoulder surfing happen? A shoulder surfing attack can occur whenever you share sensitive personal information in a public place. Here are some examples of how a shoulder surfer may try to steal information from you to gain access to your accounts.

Logging in to your mobile banking in public may seem like a normal thing to do — but it provides shoulder surfers an opportunity to steal your data. Imagine you’re waiting for a coffee at a local coffee shop. You want to check something on your bank account, so you open your mobile banking app and quickly type in your username and password. Meanwhile, the person standing behind you is close enough to see exactly what you type over your shoulder. Later, they use your login credentials to access your bank account.

Using your credit or debit card in a busy grocery store can also make you a target. You may think all you’re doing is paying for your milk and cheese. However, the person next to you is using a small recording device to record your entire transaction — from when you take out your credit card to when you enter your credit card PIN. They watch the recording to note your card details and PIN, then use your credit card to commit bank fraud.

Accessing accounts on your laptop in public may also not be as safe as you think. A shoulder surfing attack can happen when you’re working from a public place, like a cafe or a library. A laptop screen is typically larger than a mobile device, giving shoulder surfers the perfect opportunity to obtain personal information.

You may log in to your online accounts without realizing someone’s watching your device screen. Shoulder surfers may note down the account information you’ve entered and use it to carry out cyberattacks.

Providing personal information over the phone poses several cybersecurity risks. Even though there’s no looking over the shoulder involved, criminals can also steal your data when you share personal information out loud. Imagine you’re on a busy train when your phone rings, and your sister asks for your Netflix details.

Without thinking about who might overhear, you give your username and password to her over the phone. In the meantime, someone near you is listening to the entire conversation and noting down your account details. They can now access your Netflix account and any other accounts with the same username and password.

The good news is that, like many cyberattacks, shoulder surfing can be prevented.

Shoulder surfers rely on their victims’ lack of awareness in public to steal confidential information. If you know these cybercriminals can operate anywhere, it may help you minimize the chances of someone stealing your bank details or personally identifiable information.

Here are the most effective ways to protect your sensitive accounts from shoulder surfing attacks.

Use strong, long, and unique passwords

Using strong passwords can prevent many cyberattacks, including shoulder surfing. It’s much harder for shoulder surfers to catch and note down a long, complex password full of different characters. On the other hand, if you’re using a common word or phrase, you’re making it easy for them.

Avoid common or easy passwords — and don’t reuse the same password on multiple accounts. If someone manages to note down one of your passwords, they will only gain access to one account, not all of them.

Because complex passwords are hard to remember, consider using a secure password manager like NordPass. This tool generates complex, hard-to-crack passwords and stores all your passwords and sensitive information in an encrypted vault. You won’t need to type your password, making it much harder for shoulder surfers to steal sensitive information.

Protect accounts with two-factor authentication

Using strong passwords helps protect your accounts, but two-factor authentication (2FA) further increases your account security.

With 2FA, you need to confirm your identity with an additional verification step every time you log in to your account. This second step of the authentication process may use biometric data (e.g., facial recognition) or a one-time password or code.

This way, if your password has been compromised in a shoulder surfing attack, the criminal behind the attack will struggle to access your account without the second verification step (e.g., biometric authentication). Make sure you set up two-factor authentication whenever it’s available to help protect your personal accounts.

Use a privacy screen protector

If you often use your devices in public, consider getting a privacy screen protector (also known as a privacy shield).

Privacy shields, which you can get for mobile phones or laptops, make the display on the screen visible only from a certain angle. Anyone trying to snoop on you won’t be able to see your screen well enough to make out the site you’re on or your username.

Remember that shoulder surfers may still be able to see what you’re typing on your keyboard, but at least your screen will be protected.

Never log in to accounts using public Wi-Fi

Using public Wi-Fi networks won’t necessarily make it easier for shoulder surfers to steal your data, but it may lead to other cyberattacks. Public Wi-Fi is rarely safe, providing attackers the perfect opportunity to carry out various cyberattacks — from a man-in-the-middle attack to malware injection.

If you input personal data when connected to unsecured public Wi-Fi networks, you could be putting your accounts at risk. You can access public Wi-Fi safely with a VPN — but if you’re not connected to a VPN server, your data (e.g., bank details, personal photos, or login information) could be exposed.

Shield your personal information

Make sure your sensitive information stays hidden in public by shielding it with your body or hand. If you’re entering your login details with someone standing right behind you, check that the person can’t see what you’re typing.

Similarly, when entering your PIN at an ATM or grocery shop, cover it with your hand so that it’s not easy for a shoulder surfer to see. Eventually, shielding your pin will become a habit that helps keep your financial information safe.

Keep an eye on your bank statements

If a shoulder surfer has stolen and used your personal information to access your accounts, catching it early can help minimize the damage.

Monitor your bank accounts throughout the day and review your monthly financial statements. If you spot a suspicious transaction, report it to your bank immediately. Most banks already have many security measures in place to prevent financial fraud, but incidents may occasionally slip through the net. Watching for any signs of foul play can help you minimize the damage.

Monitor your credit

It’s also a good idea to keep track of your credit by regularly downloading credit reports. Credit reports are free and easy to download online through trusted providers (like Experian).

If you notice signs of fraud on your credit report, you can add a fraud alert to help prevent further harm to your credit score. Fraud alerts notify potential lenders to take additional identity verification steps before processing applications for new loans or credit cards.

If you place a fraud alert with one of the three major credit bureaus (Experian, TransUnion, or Equifax), it will automatically be placed at all three.

Checking your credit reports regularly can help prevent identity theft or catch it as soon as it happens so you can minimize the harm. Learn about more things you can do in response to identity theft.