What Is Shoulder Surfing? How Thieves Rob You With Their Eyes

Share this:

Gaetano DiNardi

Head of Content at Aura

In this article:

    Identity theft and fraud protection for your finances, personal info, and devices.

    See pricing
    Share this:

    Is Someone Watching You Enter Your PIN in Public?

    Shoulder surfing is one of the easiest ways for scammers to get access to your personal information. This includes your credit card numbers, PINs, and passwords.

    But shoulder surfing isn't just someone looking over as you enter a PIN. Today, scammers use advanced methods and technologies to steal your sensitive information.

    So how can you browse, shop, and work in public without fear of someone’s wandering eyes?

    In this guide, we’ll teach you how modern shoulder surfers steal your information and how you can protect yourself from becoming a target.

    What Is Shoulder Surfing?

    Shoulder surfing is a type of social engineering attack where someone steals your sensitive information by secretly watching you use your credit or debit card, mobile device, or laptop. 

    Attacks are fairly common and tend to happen in public. Thieves eavesdrop and wait for you to let down your guard, like when you’re rushed or unaware of your surroundings.  

    Example of Shoulder Surfing: ATM Withdrawals

    • As you enter your ATM pin number, you notice a nearby shopper talking loudly on their phone.
    • You think nothing of their presence, but they’re watching you tap in your PIN. 
    • When you’re done, they keep yelling on the phone so you rush off before the transaction is entirely over.
    • As you walk away, they go to the ATM that’s asking “Would you like to make another transaction?” They hit yes, enter your PIN, and steal your money. 
    • Once a scammer collects your information, they can use it for identity theft, financial fraud, or even sell it on the Dark Web. 

    Nine out of ten Americans reported a fraud attempt on them in the last year. We all know to be careful with our private information in public. So where do shoulder surfing attacks happen and how do scammers get past our defenses?

    Take action: If scammers “shoulder surf” your personal information, your bank account, email, and identity could be at risk. Try Aura’s identity theft protection free for 14 days to secure your identity against scammers.

    Where Do Shoulder Surfing Attacks Happen?

    Shoulder surfing began in the early 1980s when scammers would snoop as people entered calling card numbers into public payphones. They would then either use the numbers themselves to make long-distance calls or sell them for a cheaper price.

    Today, scammers still use the method of looking over their victim’s shoulder to capture their confidential data. But they’ve also evolved their scams to take advantage of new technologies and the vulnerabilities of our devices. 

    Here are the most common examples of shoulder surfing to beware of:

    In Crowded Environments Such as Bars, Restaurants, and Airports

    Shoulder surfers hang out in crowded spaces where they can blend in and steal information without being detected. 

    For example, let’s say you’re out with friends at a bar or restaurant and need to transfer money into your account to pay the bill. A shoulder surfer nearby can watch you enter your banking information into your mobile banking app and use it later to empty your account or commit financial fraud.

    When You’re Using an ATM

    Have you ever wondered if the person standing next to you saw your PIN as you typed it into the keypad? Shoulder surfers regularly target ATMs in public places like outside of a gas station. 

    But they’re not waiting around to try and spy your PIN. Instead, they’ll employ a number of different frauds, such as:

    • “Skimmers” or “Shimmers”. These small devices attach on top of an ATM or go inside the card reader itself and steal your account information when you use them. 
    • Video cameras and recording devices. Some shoulder surfers will place tiny cameras around ATMs for direct observation of your PIN keystrokes and card details. 
    • Binoculars and high-powered listening devices. Other scammers might stay in their car across the parking lot and use binoculars and listening devices to steal your information.

    On Public Transportation 

    Few people think twice about using their phones on public transportation. But this is a perfect situation for shoulder surfers to attack.  

    Whenever you log into one of your phone's apps or enter your passcode, a shoulder surfer can make note of that information. Later, they might steal your phone or wallet and gain access to your sensitive information. 

    Your phone is often a golden ticket to your most sensitive information. When my phone was stolen on a holiday, scammers got access to my bank accounts, cryptocurrency wallets, and email. They were even able to change my passwords and lock me out of my own accounts.

    While Using Public Wi-Fi

    If you’ve ever logged into accounts on the Wi-Fi at your local coffee shop, you’ve put your sensitive information at risk. 

    Cybercriminals use unsecured public Wi-Fi networks to commit man-in-the-middle attacks (MITM). These are a form of shoulder surfing where they intercept your connection to steal sensitive data.

    The worst part is, you won’t even know it’s happening to you. As you browse Instagram, Snapchat, or other social media, shop, or log-in to work apps, the criminal captures all of your details from afar. 

    When You’re Talking on the Phone in Public

    Sometimes shoulder surfers aren’t eavesdropping on what you type but what you say. 

    Let’s say you’re talking to your child on your cellphone and they ask for your credit card details to make a purchase online. Without thinking twice, you read them aloud for anyone to hear. 

    During The First Days of a New Job

    Nowhere is entirely safe from scammers or shoulder surfers. Just think about all the information you’re required to give up when you start a new job — Social Security number, address, phone number, banking details for benefits. 

    Your new coworkers could come over for a chat and catch a glimpse of your most sensitive information. 

    Take action: If you accidentally give scammers your personal data, they could take out loans in your name or empty your bank account. Try an identity theft protection service to monitor your finances and alert you to fraud.

    What Are the Consequences of Shoulder Surfing?

    In each of the examples of shoulder surfing we just listed, scammers got access to your personally identifiable information (PII). This includes your name, address, phone number, Social Security number, banking information, phone and credit card PIN, and account passwords. 

    With this information, scammers can wipe you out financially, take out loans in your name, or commit bank fraud. They can also gain access to sensitive information or photos you don’t want shared or steal your medical benefits (i.e., medical identity theft). They could even sell your identity on the Dark Web.

    The worst thing about shoulder surfing attacks is that many go undetected until it’s too late. 

    If you don’t regularly monitor your credit reports or get fraud alerts, you’ll only find out that someone has stolen your identity when you get a strange bill in the mail, find out your account is empty, or don’t qualify for a home or car loan. 

    Unfortunately, recovering from identity theft can take weeks, months, or even years.

    10 Ways To Protect Yourself from Shoulder Surfing Attacks

    1. Physically block out would-be scammers
    2. Use strong passwords and a secure password manager
    3. Don’t use public Wi-Fi networks to log into accounts
    4. Add a privacy screen protector to your devices
    5. Enable 2FA — but not SMS
    6. Never input personal information into public computers
    7. Use biometrics like fingerprints and facial recognition
    8. Set up fraud alerts to automatically monitor your credit
    9. Find a private place when you need to share sensitive information
    10. Avoid using ATMs in public places

    Like most scammers, shoulder surfers rely on your human nature to be trusting. Awareness of your surroundings is the first step in protecting yourself from shoulder surfing attacks. Don’t be caught off-guard when using your mobile device, tablet, or laptop in public. 

    1. Physically block out would-be scammers

    Surfers can’t steal what they can’t see. Put your body between your sensitive information and anyone’s direct line of sight. For example, shield the keys on a PIN pad when entering your code or stand against a wall and hold your phone up to your body when entering passwords.

    2. Use strong passwords and a secure password manager  

    It’s harder to catch and remember a password that’s long, complicated, and full of different characters. 

    Avoid using common or easy passwords and don’t fall into the trap of reusing old ones. According to a study from Harris Poll and Google, 66% of Americans reuse the same passwords for social media, email, and banking accounts.

    But if someone spies your Facebook password and it’s the same as all your other accounts, you just gave them access to everything. 

    Aura password manager
    Source: Aura Password Manager

    To help you remember different and difficult passwords, use a secure password manager. This tool securely stores all your usernames and passwords and gives you easy access when you need them.  

    3. Don’t use public Wi-Fi networks to log into accounts

    Man-in-the-middle attacks take advantage of weak public Wi-Fi security to watch you enter your details. If you have to log into an account over public Wi-Fi disconnect and use your phone’s hotspot instead. This will block cyber surfers from seeing your login information.

    For additional security, consider a virtual private network (VPN). This will encrypt your network connection so scammers and hackers can’t get access and see what you’re doing.  

    4. Add a privacy screen protector to your devices

    Many screen protectors make it harder for other people to see what’s on your phone, laptop, and other electronic devices. While a privacy protector won’t stop them from watching your keystrokes, it’ll stop them from seeing what site you’re using or your username. 

    5. Enable two-factor authentication (2FA) – but not SMS 

    Two-factor authentication is a security measure that requires a one-time code — either from an app or text — along with your password to access an account. It adds an extra layer of safety in case someone gets access to your passwords. 

    Pro tip: Avoid using SMS for 2FA. A shoulder surfer could see the code on your phone or even steal your device and bypass the security. Instead, use an authenticator app such as Google or Okta.

    6. Never input personal data into public computer systems 

    Public computers in libraries or hotel business centers can be infected with malware designed to steal your info. Never use these to log-in to your sensitive accounts. 

    7. Use biometric authentication like fingerprints or facial recognition

    Security measures tied to your fingerprints or facial recognition make it harder for scammers to get access to your accounts. However, there's always still the possibility of fingerprint identity theft. Make sure to combine biometric authentication with a secure password for the best protection.

    You can also use technologies like contactless payment so fraudsters don’t have a chance to see your PIN. 

    8. Set up fraud alerts to automatically monitor your credit

    One of the fastest ways to shut down a successful shoulder surfer is to catch them committing any type of financial fraud. A fraud monitoring system keeps tabs on all your accounts and alerts you of any suspicious activity. 

    Aura credit monitoring services
    Source: Aura Credit Monitoring

    With Aura credit monitoring, you don’t have to monitor your credit report yourself for fraudulent activity. We’ll check activity across your SSN, bank, and personal accounts and let you know if anything suspicious is going on. 

    9. Find a private place to share sensitive information

    If you need to give someone your credit card or other sensitive information over the phone, wait until you’re in a private place. If this isn’t possible, try to call the person back at another time. 

    10. Avoid using ATMs in public places

    ATMs outside of gas stations or in public places are easier to tamper with or monitor. Avoid these and instead use ones inside a business. It’s less likely that a scammer was able to install a skimmer or shimmer on these. 

    Bonus: Consider signing up for identity theft protection

    Aura’s top-rated identity theft protection monitors all of your most sensitive personal information, online accounts, and finances for signs of fraud. If a scammer tries to access your accounts or finances, Aura can help you take action before it’s too late. 

    Try Aura’s 14-day free trial for immediate protection while you’re most vulnerable.

    Did a Shoulder Lurker Steal Your Identity?

    Any form of identity theft — including shoulder surfing — can take time, effort, and money to resolve.  

    If you know your sensitive information has been compromised, you need to report it to the authorities and take back control of your accounts. 

    For identity theft and fraud, you’ll want to:

    1. Notify the FTC on www.IdentityTheft.gov.
    2. Contact your local law enforcement and file a police report.
    3. Get in touch with any financial institutions, businesses, or lenders that have been the target of financial fraud using your information.
    4. Contact the three nationwide credit bureaus to alert them of the fraudulent activity. 
    5. Freeze your credit so scammers can’t open new accounts in your name.
    6. Change your passwords and force unrecognized devices to sign out.
    7. Get identity theft protection

    Aura is equipped to handle many of the steps above for you or proactively so your identity will be safe in the first place. With Aura, you can protect your entire family along with a $1,000,000 insurance policy for eligible losses due to identity theft. 

    Ready for ironclad identity theft protection? Try Aura 14-days free.

    Related Articles

    Aura
    Identity Theft

    The 15 Types of Identity Theft You Need To Know (2022)

    Identity theft is the fastest growing crime in the U.S. with a new victim every 6 seconds. Learn how to protect yourself from 15 types of identity theft.

    Read More
    March 8, 2022
    what is carding
    Fraud

    Carding: The Fraud Technique Destroying Your Credit

    Online shopping with your credit card is convenient. But can put you at risk of a type of fraud called carding. Learn how to protect yourself today.

    Read More
    May 24, 2022

    Try Aura—14 Days Free

    Start your free trial today**

    This is some text inside of a div block.

    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

    1. Financial identity theft and fraud
    2. Medical identity theft
    3. Child identity theft
    4. Elder fraud and estate identity theft
    5. “Friendly” or familial identity theft
    6. Employment identity theft
    7. Criminal identity theft
    8. Tax identity theft
    9. Unemployment and government benefits identity theft
    10. Synthetic identity theft
    11. Identity cloning
    12. Account takeovers (social media, email, etc.)
    13. Social Security number identity theft
    14. Biometric ID theft
    15. Crypto account takeovers