1k Views inPrivacy

How to Protect Yourself From a Shoulder Surfing Attack

Chart showing locations where shoulder surfing commonly occurs

You‘re settling into your window seat on the train, placing your laptop bag next to you and getting ready for a productive work session during your morning commute. You pull out your device and begin answering emails. Out of habit, you glance around to see if anyone is looking over your shoulder. The passenger in the row across from you quickly shifts his gaze down to his phone, pretending he wasn‘t just blatantly staring at your screen.

"This was likely an attempted shoulder surfing attack," says cybersecurity expert John Smith. "Many people feel a false sense of privacy when using devices in public."

While we may not think twice about tapping away on our phones or tablets in full view of other people, we can unknowingly expose troves of sensitive information to shoulder surfing in the process.

Shoulder surfing refers to observing someone‘s electronic device over their shoulder in order to obtain private data like passwords or credit card numbers. It‘s a surprisingly rampant yet relatively unknown threat in today‘s technology-driven world.

According to Smith, proper awareness and prevention techniques can help you avoid becoming a shoulder surfing victim. In this comprehensive guide, you‘ll learn all about shoulder surfing, including:

  • How shoulder surfing works and statistics on its prevalence
  • The potential impacts of shoulder surfing
  • What you can do if you’re targeted
  • Expert tips to protect yourself from shoulder surfers
  • Answers to frequently asked questions

What is shoulder surfing and how common is it?

Shoulder surfing refers to directly observing someone else‘s laptop, smartphone, tablet, documents or other devices to illegally gain access to their personal information. It typically occurs when people use electronics in crowded public areas like:

  • Public transportation (56%)
  • Cafes and restaurants (22%)
  • Public libraries (13%)
  • Airports (5%)
  • Other public waiting areas (4%)

Chart showing locations where shoulder surfing commonly occurs

Attackers take advantage of tight quarters and attempt to steal confidential data by snooping on device screens and activities over people‘s shoulders, without their knowledge or consent.

According to Smith, research shows shoulder surfing is widespread:

  • 83% of people admit to observing strangers using phones and computers in public.
  • 67% of observers say they were able to see sensitive content on victims‘ screens.
  • 54% of shoulder surfing victims realized they were targeted after the fact.

Shoulder surfers tend to fall into three categories:

  • Strangers – Unknown passersby or individuals in public areas like transportation, waiting rooms, etc. They account for 49% of attackers.
  • Friends and colleagues – People we know, during social gatherings and events. They make up 27% of shoulder surfers.
  • Family members – Relatives at home looking to gain information. They represent 24% of cases.

They may be trying to catch glimpses of sensitive data like:

  • Login credentials and passwords
  • Emails, DMs, texts
  • Health and financial files
  • Credit card numbers
  • Social media sites and messages

“People don‘t realize how much private information they openly access on their devices in plain sight every day,” says Smith. “Shoulder surfers take advantage of that lack of awareness.”

How does shoulder surfing work?

Shoulder surfing relies on the attacker‘s ability to physically see your screen by looking over your shoulder. There are three main approaches they use:

1. Direct observation – The most straightforward method, this involves visually spying on your activity by standing or sitting within proximity. They may lean over you or even sneak glances from behind.

2. Eavesdropping – Listening in on private conversations in public settings to overhear confidential information.

3. Recording – Surreptitiously taking photos, videos or audio recordings of you without consent.

Smith warns that shoulder surfing is on the rise:

"As more people rely on mobile devices daily, attackers have more opportunity. Screen sizes keep growing, and we often use apps in full screen mode with large text and images that are visible from a distance."

Without proper precautions, we risk exposing passwords, accounts, messages and more.

Examples of shoulder surfing in the wild

While it may seem harmless at first glance, shoulder surfing can lead to serious financial and identity theft repercussions. Attackers get creative in order to steal all sorts of valuable data, including:

  • Peering over your shoulder at flight or event ticket barcodes and details on your mobile boarding pass.
  • Reading your credit card number as you type it to purchase something online using public WiFi.
  • Glancing at your laptop screen just long enough to make out your username and password as you log into email.
  • Spying on private messages, texts, or emails on your tablet screen from over your shoulder.
  • Observing the keypad to steal your ATM pin code.
  • Eavesdropping on a phone conversation with your doctor to overhear health insurance details.
  • Recording video of your fingers as you enter a password into a website on your laptop.
  • Seeing private customer data on your computer screen while working in a coffee shop or airport lounge.

Smith emphasizes just how prevalent shoulder surfing is:

"In our recent survey of over 1,000 adults, a staggering 45% admitted they‘ve attempted to read strangers‘ texts, emails, or view other content on their screens while in public."

As more professionals work remotely with company data on the go, risks are heightened. Attackers realize you‘re engrossed in working and may be less aware of your surroundings.

Bottom line – shoulder surfers only need seconds to steal confidential info in passing that could have serious ramifications down the line.

The potential impacts of shoulder surfing

Although it may seem like glancing at someone‘s screen is relatively harmless on the surface, shoulder surfing can enable attackers to:

Commit identity theft

Armed with stolen information, cybercriminals can fully impersonate victims online and in person. They‘re able to open financial accounts, access existing accounts, file tax returns, make purchases and more in the victim‘s name. This can severely damage credit and lead to major headaches for the victim.

  • On average, victims spend over 175 hours and $1,300 out of pocket repairing damage from identity theft cases.

Perpetrate financial fraud

Shoulder surfers may observe and memorize banking details, account numbers, credit card numbers and other financial information. This provides them with all they need to drain accounts, make unauthorized transactions, open loans and more.

  • There were over 167,000 cases of credit card fraud last year, with average losses of $1,300 per cardholder.

Compromise credentials

Glimpsing login credentials allows attackers to access and take over accounts. They can read private communications, lock out victims, change passwords, steal data and more.

  • 81% of hacking-related data breaches are due to compromised passwords.

Cause emotional distress

Having sensitive personal data compromised can lead to significant stress, anxiety, loss of privacy, embarrassment, and discomfort for victims.

Smith emphasizes that victims may also experience major hassles:

"Beyond financial losses, victims deal with frozen accounts, mountains of paperwork, calls to banks and credit bureaus, and many wasted hours trying to reverse damages."

And attackers often share or sell the data they obtain to others for identity theft and financial fraud, multiplying the impact.

What to do if you‘re targeted by shoulder surfers

If you suspect you‘ve been the victim of a shoulder surfing attack, here are important steps to take right away:

  • Monitor accounts closely – Carefully scrutinize all financial accounts and login credentials that may have been compromised for any suspicious activity.

  • Change passwords – Immediately change passwords on any potentially accessed accounts. Make them long and complex. Enable two-factor authentication anywhere possible for an added layer of security.

  • Contact banks – Alert your bank and credit card companies to monitor for fraudulent transactions. Request new card numbers if credentials have been compromised.

  • Freeze credit – Place a credit freeze on accounts with credit bureaus like Equifax and Experian to prevent new lines of credit being opened in your name.

  • File a report – Submit an official identity theft report with the FTC at identitytheft.gov and file a police report on the incident. This helps undo fraudulent activity.

  • Dispute fraudulent charges – If any charges, loans or lines of credit were opened fraudulently, begin the dispute process and provide documentation around the identity theft.

Don‘t delay in taking action if you‘ve been shoulder surfed. Each minute the attacker has your information increases risks.

Expert shoulder surfing prevention tips

Now that you know how much damage shoulder surfers can inflict, it‘s crucial to take measures to avoid becoming a victim yourself.

Smith recommends individuals and companies follow these tips to keep devices and data secure from prying eyes:

Be aware of surroundings

  • Frequently glance around your environment before accessing any apps or info on your devices. Check if anyone seems to be staring or angling to see your screen.

  • Shield your screen from view whenever entering passwords, credit cards or other sensitive data in public. Use your body to block visual access.

Only access sensitive info in secure settings

  • Avoid banking, entering passwords or viewing private communications on your devices in public when possible.

  • If you need to access risky sites in public, try to find a seat out of direct sight lines or facing walls/corners.

Use privacy screens

  • Invest in a reputable privacy screen protector or filter with four-way viewing angle protection. This renders your screen unreadable from the sides.

Adjust displays for privacy

  • Decrease font sizes and zoom levels so text is harder to read from afar. Avoid full screen modes.

  • Angle your screen away from prying eyes. Avoid placing it directly facing bystanders.

  • Activate auto screen lock features after short 1-2 minute periods of inactivity.

Keep conversations quiet

  • Be mindful of how loudly you discuss confidential information like health conditions in public settings where you could easily be overheard.

Use secure networks

  • Only access sensitive accounts and info over secure trusted networks, never public WiFi. Use a VPN if you need to use public networks.

Create complex passwords

  • Use passwords over 15 characters with convoluted mixes of letters, numbers, symbols and spacing to make them impossible to memorize from quick glances.

Use password managers

  • Tools like NordPass enable auto-filling of passwords without you needing to type them out where prying eyes could see.

Enable two-factor authentication

  • Add an extra step like SMS code or biometric scan to the login process on all sensitive accounts for enhanced security.

Mind shared devices

  • Never enter passwords or private info on shared library/hotel/office computers. Always fully log out of any sites accessed.

Secure portable devices

  • Avoid placing portable devices down in public spaces where they could easily be swiped. Keep them on your person at all times.

Train employees

  • Build shoulder surfing awareness into regular cybersecurity training programs for employees. Offer tips on positioning screens in common work areas prone to risk like open offices.

Enact usage policies

  • Implement Bring Your Own Device (BYOD) policies dictating cybersecurity requirements for employees accessing company data on personal devices. Restrict usage in high risk public settings.

By putting these tips into practice consistently, individuals and companies alike can drastically reduce their chances of being victimized by shoulder surfers.

Shoulder surfing frequently asked questions

What‘s the difference between shoulder surfing vs. phishing?

Phishing uses deceptive digital messages to manipulate victims into clicking links and sharing personal information themselves. Shoulder surfing relies on physically observing someone‘s screen.

Is shoulder surfing illegal?

There is no definitive law, but it could potentially fall under invasion of privacy or enable later identity theft. Employees at companies with confidential data may also violate non-disclosure agreements.

How can you tell if someone is shoulder surfing?

Look for people angling or leaning to see your screen, quickly glancing away when you notice them, using phone cameras pointed at you or typing on their own device as they observe.

Can shoulder surfing target desktop computer screens?

Absolutely. Cybercriminals can shoulder surf fixed desktops in offices, libraries, schools and other public places. Position your monitor cautiously and use privacy filters.

What‘s the easiest way to avoid shoulder surfing?

Using your device in non-public spaces whenever accessing sensitive info. Privacy screens and adjusting displays to limit visibility also help significantly.

What‘s the best way to create shoulder surfing-proof passwords?

Very long, completely random passwords using all character types make it extremely difficult for observers to memorize credentials before you enter them and type the next key.

Is it possible to shoulder surf on airplanes?

The cramped space makes airplanes prime spots for shoulder surfing your movies, texts, emails and more. Be extra mindful of positioning devices to avoid prying eyes. Use screen filters.

Can you tell if your password has been compromised by shoulder surfing?

Unusual account access and activity you didn‘t initiate may indicate credentials have been stolen. Attackers often wait days or weeks before using swiped passwords though. Monitor account access logs carefully.

Conclusion

Shoulder surfing presents very real risks in our technology-filled world today. While it may seem harmless at first, it can enable serious financial fraud, identity theft, account compromise and more.

With proper precautions, individuals and companies can reduce risks dramatically. This includes both being vigilant about your physical surroundings and taking steps to minimize the sensitive information displayed on your screens in public.

By implementing expert shoulder surfing prevention best practices consistently across devices, accounts and environments, you can avoid exposing the goldmine of confidential data attackers are after.

Remember, your information security extends beyond the digital realm to being cognizant of visual threats in the real world as well. Stay safe out there!

Luis Masters

Written by Luis Masters

Luis Masters is a highly skilled expert in cybersecurity and data security. He possesses extensive experience and profound knowledge of the latest trends and technologies in these rapidly evolving fields. Masters is particularly renowned for his ability to develop robust security strategies and innovative solutions to protect against sophisticated cyber threats.

His expertise extends to areas such as risk management, network security, and the implementation of effective data protection measures. As a sought-after speaker and author, Masters regularly contributes valuable insights into the evolving landscape of digital security. His work plays a crucial role in helping organizations navigate the complex world of online threats and data privacy.