What is shoulder surfing?


When most people imagine a hacker, they are likely to think of a cybercriminal sitting in a basement remotely accessing business systems to gain access to confidential data. However, most cybercriminal activity starts with something as innocuous as glancing over someone’s shoulder.  While it may seem harmless, shoulder surfing is more common than people think.  That is why it is crucial to understand what shoulder surfing is, how shoulder surfers steal information, examples of shoulder surfing and more importantly, what steps can you take to prevent it.

What is shoulder surfing?

So what is shoulder surfing? Shoulder surfing is a social engineering technique employed to capture personal data and information. The act of shoulder surfing aims to obtain personal data such as personal identification numbers (PINs), passwords and other sensitive data by looking over the victim’s shoulder, either from keystrokes on a device, or by eavesdropping.

Shoulder surfing is an effective technique to obtain someone’s personal information when standing in a crowded space, such as when the victim is entering a PIN at the ATM, filling out a form, or paying for goods with a credit card.

Shoulder surfing is an alternative form of hacking since it allows shoulder surfers to obtain unauthorised access to the victim’s data.  However, not everyone treats shoulder surfing as they would a full-scale attack where a cybercriminal remotely forces their way into your business systems.

Examples of shoulder surfing

Shoulder surfing can happen anywhere and shoulder surfers can strike in several ways. ATMs and Kiosks are the most common locations where potential victims may be at risk. However, shoulder surfing can also occur when you enter personal data on your tablets and smartphones in a coffee shop or while finishing that presentation on a airplane or train. Some scenarios where shoulder surfing may occur are:

  • Entering your PIN at the ATM or cash point
  • Using your credit or debit card and PIN to pay for an in-store transaction
  • Logging onto a banking app or website using your username and password on a mobile device
  • Accessing corporate or business sytems remotely from a public location
  • Providing details verbally either in person, or over the phone

Consequences of shoulder surfing

Many individuals can probably think of examples when they had the opportunity to have glanced or eavesdropped on someone if theyr desired. Now, imagine all the opportunities that exist for actors with malicious intent.  For businesses, as well as individuals, shoulder surfing could lead to the exploitation of employees, by holding personal data to ransom.

76% of respondents who use a mobile device reported having observed (whether accidentally or not) someone else’s PIN at some point


More directly, shoulder surfing could lead to a severe data breach.  The consequences of data breaches cannot be under-estimated. According to the Cost of Data Breach study (conducted on behalf of IBM by the Ponemon Institute), in the UK, the average total cost of data breach is £2.53 million.

Security issues, and more specically data breaches, have a direct impact on a business, such as fines from industry regulators, and loss of market reputation, in addition to further potential implications.

Tips for preventing shoulder surfing

Technology has made shoulder surfing much easier.  The abundant availability of digital cameras means shoulder surfers can snoop from a distance. Keeping your employees and corporate information secure by using best practices will prevent your business from becoming victims of shoulder surfers. Here are 8 tips to prevent shoulder surfing:

1. Install a privacy filter – Privacy filters are polarized sheets of plastic which limits screen visibility to only those seated directly in front of the screen. Privacy filters are available for desktop and laptop computers as well as mobile devices. A relatively cheap solution, privacy filters ensure that a shoulder surfer will only see a black screen.

2. Stay aware of your surroundings – Find a secluded spot, away from the crowd, where you can conduct private business. Try to work with your back to a wall which will prevent others from looking over your shoulder. Refrain from verbally confirming passwords, security codes, or other personal information publicly and over the phone.

3. Use password manager – Some apps and online websites allow you to create a strong password. Moreover, you can save your password online. Whenever you want to access something, you don’t have to enter your password. Since you don’t have to enter a password, shoulder surfers won’t be able to steal your information.

4. Protect PINs – Most financial insitituations recommend covering the keypad when you enter a PIN, but only a few people take this advice seriously. Shielding the PIN pad as you enter your PIN is a good way to prevent shoulder surfing from becoming a problem. If you feel you have been watched while entering your PIN, change it immediately.  As part of security best practice, change your PIN regularly thoughout the year.

5. Avoid using public networks – Free public Wi-Fi, for instance those found in coffee shops and hotels, are usually poorly configured and are susceptible to cyber. Piblic Wi-Fi is often unencrypted, meaning once a public Wi-Fi has been breached, hackers can potentially get personal and confidential data, such as passwords, bank details, credit card details.If you have no alternative, it is recommended to use VPN when using public Wi-Fi access.

6. Set strong passwords – Try using robust and secure passwords, it becomes difficult for the shoulder surfers to guess what you have typed. Here are our tips to improve your password security.

7. Use biometric authentication if possible – Most modern phones and mobile devices use either facial recoginition or fingerprint to authenticate the user onto a device. Such features avoid the need to enter a PIN or password. Biometric authentication is one of the best ways of  preventing shoulder surfing.

8. Use two-factor authentication – Most of the applications allow you to set two-step verification. Two-factor authentication (2FA) can protect your information from theft. 2FA works by authenticating a user using two different methods, for example, username and password, and auto-generated PIN. In the event a shoulder surfer gets your data and tries to use it, two-step verification can save you from a serious threat.

You might also like

This website uses cookies to improve your experience. We assume you are OK with this, but you wish, you can opt-out. Accept Read More