Feels like somebody’s watching: the shoulder surfing attack

So, what is shoulder surfing?

Shoulder surfing is a type of social engineering attack in which an unauthorized person physically views a device’s screen or keypad to obtain private information, such as passwords, credit card details, and other PINs. Shoulder surfers lurk in public or semi-public environments, such as cafés, libraries, public transportation, or any place where people enter confidential data. As their name suggests, shoulder surfers look over their victims' shoulders, highlighting the risk of viewing or using sensitive data in public places, particularly in crowded areas.

Mechanics behind the shoulder surfing

Even though shoulder surfing seems pretty straightforward, there are some techniques to it, nevertheless:

• Casual glance. Once in public, you never know when the praying eye will catch you. A shoulder surfer might casually glance over your shoulder while pretending to engage in regular activities like reading a book or scrolling on their phone.

• Distraction. Some shoulder surfers will employ distraction tactics, for example, asking their victim a question or pretending to drop something, to draw their attention away from what they are doing, easing their way to steal information.

• Eavesdropping. Similar to a casual glance, eavesdropping allows the attacker to pretend they are minding their own business while collecting sensitive data about you.

• Remote observation. Some attackers don’t rely simply on direct observation in public settings alone. They will use technology, such as recording devices, hidden cameras, and binoculars, to gather information without needing to be in direct proximity to their victim. Note that it’s less common but still a potential risk.

Where do shoulder surfing attacks happen?

Unsurprisingly, shoulder surfing attacks can happen almost anywhere in public places. Let’s review the possible places and circumstances in which shoulder surfers can steal information.

Using an ATM

Picture this: you’re on a busy street, withdrawing money from an ATM. A shoulder surfer could position themselves to watch you enter your PIN code. If you leave the ATM with your card without exiting your bank account first, the attacker can access it, unless the ATM requires the card to be inserted repeatedly for another transaction.

At a café

Another place where shoulder surfing can happen is in a busy café when someone sits nearby. You realize that you need to access your bank account on your laptop. While you do so, the person sitting near you discreetly peeks at your screen, perhaps pretending to read a book or work on their own laptop. Several days or even hours later, you notice unauthorized transactions made from your account.

Taking public transport

Probably one of the most crowded places, especially during rush hour, is any public transport vehicle. So, let’s say you’re on a tram or metro, minding your own business. You were logged out of your social media account, and now you have to log back in with someone looking over your shoulder, unbeknownst to you. With your email address and password, the attacker can log in to your account and even use it for identity theft.

At the airport

Airports don’t necessarily mean the beginning of an exciting adventure if you end up being the victim of a shoulder surfing attack. Imagine someone leaning toward you while you enter your personal or credit card details into a travel app. They memorize this sensitive information, and then use it to access your accounts.

How to prevent shoulder surfing?

Naturally, the question arises: is there a way to prevent shoulder surfing? Yes, and it's simple: always be aware of your surroundings once in a public place and follow these basic cybersecurity measures to avoid falling victim to a shoulder surfing attack.

First and foremost, avoid working on tasks that involve private data in public. These include logging in to your bank account, reading confidential documents, shopping online, or filing your taxes.

However, if you suspect that there will be a time you’ll need to access such sensitive information out in public, invest in a screen protector. These privacy screens are placed over the screen of your laptop or smartphone and have a coating that makes it difficult to view the screen of the device from peripheral angles.

Still, even with a privacy screen, it can be useful to physically shield your keyboard when you’re typing sensitive information like passwords out in crowded places to prevent unwanted eyes from seeing your data. Also, always make sure to maintain physical distance when you’re using your devices for sensitive tasks. If you’re at a café or an airport and need to leave your laptop or phone unattended for even a split second, make sure to lock your device.

Lastly, start using a password manager that will allow you to safely store and then autofill your sensitive data, such as passwords or credit card details.

Level up your online security

Store and manage your digital valuables safely

Start Free Trial

How does shoulder surfing lead to cybercrime?

By now, it should be clear that shoulder surfing is a cybersecurity issue, even though it occurs in the physical world. Once a criminal detects any relevant data on a victim's device screen, they can exploit it. Credit card details, usernames and passwords, social security numbers, and PINs are all gold mines for attackers, who can then use the information to hack into the victim's accounts online. This can result in theft, account takeovers, and even identity theft.

How can NordPass help you prevent shoulder surfing?

As already mentioned, a password manager can help you avoid shoulder surfing by offering you the autofill ability. NordPass's autofill feature simplifies logging into websites, apps, and filling out forms by automatically inserting your saved credentials and personal information. This means that by not entering your username and password manually, you reduce the amount of time your data is exposed on the screen.