Humans are curious creatures, so it’s easy to brush off a nosy stranger’s glance in your direction. The problem is that a quick peek at your phone could be an innocent turn of the head, or it could be a scammer trying to shoulder surf your information.
Here’s what you need to know about shoulder surfing and how to stay safe from peeping thieves.
What is Shoulder Surfing?
If you’re like most people, you probably check your phone out of habit more than you even realize. According to recent studies, on average, Americans check their phones 144 times a day and spend nearly 4.5 hours a day doing everything from sending emails, playing games, and scrolling social media to paying bills and scheduling important appointments. There’s nothing inherently wrong with that, but doing so in public can open up opportunities for criminals to commit what is known as “shoulder surfing.”
Shoulder surfing is a low-tech (or rather no-tech) method for thieves to steal private information from your phone or laptop screen, simply by looking over your shoulder in the hopes of catching a password, PIN, credit card number, or some other stealable bit of info as you enter it.
Why Criminals Do It
In a world full of online scams, viruses, and all other types of high-tech thievery, the reality is that shoulder surfing requires nothing but a pair of eyes and people whose guards are down in public. It’s easy, it’s accessible, and it’s all about seizing opportunities.
Next time you’re out in public, whether it’s at a coffee shop, restaurant, park, or honestly anywhere else, take a moment to look around and you’ll notice a lot of screens in front of faces. While you see people going about their day on their phones and computers, criminals see opportunity, and there’s no shortage of that for shoulder surfers.
How Shoulder Surfing Works
While plenty of cybersecurity-busting techniques require a certain level of tech-savviness, shoulder surfing is about as simple as it gets. Criminals go to places where people are likely to spend time on their phones and laptops, and simply try to blend in while secretly looking around in hopes of catching some valuable information.
Depending on what they’re able to see, shoulder surfers can do a number of things, like:
- Attempt to physically steal your device if they’ve seen your passcode/PIN.
- Memorize and use your credit card information if they see you enter it.
- Attempt to steal your debit card if they’ve seen your ATM PIN.
- Use private information to steal your identity or commit other scams, like contacting older members of your family, work associates, or even catfishing strangers.
Technology-Assisted Shoulder Surfing
This isn’t to say that shoulder surfing doesn’t make use of technology when it’s appropriate, however. The most obvious example is cell phone cameras, which can easily get good-quality close-ups of your screen and hands from across a room. Shoulder surfers don’t actually need to see your fingers push the buttons — the button layout is already known, so they just need to see the motions of your hand. One engineer even demonstrated that a camera equipped with infrared sensors can actually tell which buttons you pressed, and in which order.
Straying into fringe territory between shoulder surfing and full-on criminal surveillance, criminals can boost their shoulder surfing abilities with tiny microphones, cameras, and recording devices. A spy cam anywhere near the keypad on an ATM or debit machine could yield a rich harvest of PINs, for example.
When and Where You’re at Risk of Shoulder Surfing
Since most of us take our phones with us wherever we go, shoulder surfing can technically happen anywhere strangers are around. That said, there are a few places and situations where you should try to keep your head on a swivel and your screen safe from prying eyes.
- Coffee shops/coworking spaces: Post-COVID has resulted in a rise in people seeking out public places, like coffee shops or designated coworking spaces, to get some work done. It’s a good option for those looking to liven up their work-from-home workdays, but it should be done with some level of caution. (Never work on confidential or sensitive documents while in public, for example!)
- ATMs: Fewer people are carrying cash around these days, but ATMs still see plenty of action. While most of us try to shield our PINs from people around us, ATMs are a prime location for a hidden camera. If a criminal is able to get your ATM PIN and your debit card, some serious damage can be done.
- Public Transportation: If you’re someone who frequently uses the train or bus, you know the drill — sit down, pull your phone out, and go about your business until the ride is over. The problem is, public transport can get pretty crowded, meaning you might not notice the person next to you glancing at your phone. If you happen to be making a purchase, checking your bank statements, or doing something else involving private information, a shoulder surfer just might see what they’re looking for.
- Phone calls in public: We’ve mostly talked about shoulder surfing as a visual observation scam, but auditory eavesdropping counts too. It’s not all that rare to get a call from someone where private information might get brought up. If this happens, try and limit what you share and how many people can hear you. Better yet, wait until you’re somewhere fully private.
How to Protect Yourself From Shoulder Surfing
If everyone in sight is a potential shoulder surfer, how can you protect yourself? You can start with some simple, commonsense precautions:
- If you’re using the PIN pad of an ATM or debit machine, shield it from view while you punch in your PIN.
- When you’re done at the ATM, make sure you’ve actually completed your transaction and the screen isn’t prompting another transaction.
- Use a tap-enabled card (or a phone-based payment app) so you don’t need a PIN at all. In general, it’s best to avoid using a debit card anywhere but the ATM/bank.
- Avoid logging into sensitive sites or apps (bank apps, credit card companies, etc.) in public places.
- If you absolutely need to log into a sensitive site, sit or stand in a place where it’s difficult for anyone to try to see your screen (and would be obvious if they do). Also, be mindful of windows or reflective surfaces behind you.
- Don’t use public wi-fi to log into any sensitive site.
- If you’re in a public place, avoid making calls that will require you to give sensitive information verbally. When it’s unavoidable, seek out a private spot — like a stairwell — where listeners couldn’t follow you without it being obvious.
- Install a privacy screen protector that limits the angles your phone or computer screen can be seen.
- Use biometric security to unlock your devices, such as fingerprints or facial recognition, so you don’t have to enter your passwords/PINs in public.
These are all good habits you can easily do to limit the potential for becoming a victim of shoulder surfing. While you’re developing those good habits, there are some more advanced steps you can take to protect yourself — and improve your overall digital security — as well, which we’ll get into in the next section.
Improving Your Overall Security Practices
If you’re willing to put a bit of effort into upgrading your overall approach to security, there are many other things you can do — some easy, some requiring a bit of tech know-how — to protect yourself. As a bonus, these will give you some protection against other threats as well, not just shoulder surfing:
- Use a password manager to store passwords for your sites and apps. Instead of typing in a password, it will simply autofill without showing the details, which gives snoops nothing to work with. As a bonus, this makes it easier to use strong passwords and have a different one for every site. If an attacker successfully steals a password, only one site or app will be compromised.
- If you’re tech-savvy, or if you frequently need to use random wi-fi hotspots for work purposes, consider using a VPN to shield your data. A VPN basically sets up a private connection inside the public network, so your data’s protected from public wi-fi’s many vulnerabilities (you’ll still need to be wary of anybody watching you enter keystrokes).
- Set up multi-factor authorization (MFA), also sometimes known as two-factor authorization. It just means that anyone signing into your account needs to provide a second proof of identity. Most sites will text an authorization code to your phone, but that’s not as secure as you’d think.
Taking these extra steps requires a modest commitment of time and effort, but it can give you a lot of extra security in your online life.
The Rest of the Picture
For most of us, there’s no way around some amount of screentime or phone calls out in public, but with the right amount of vigilance, that shouldn’t be a problem. However, even the most cautious of us can slip up or just unfortunately become a victim of scammers and thieves. So, while prevention is the first step to staying safe, recognizing the signs that your information has been compromised can be just as important when it comes to limiting damage.
Start by educating yourself about some of the tell-tale signs that your identity has been compromised, like inexplicable variations in your credit score or suspicious charges showing up on your bank and credit card statements. Those are always red flags. Keeping up to date on the latest scams by periodically reading the Better Business Bureau’s Scam Tracker or the FTC’s consumer scams page is also a good idea (or staying plugged into Spokeo’s Compass blog).
There are few guarantees in life, and it’s likely not possible to protect yourself completely. That being said, most criminals are looking for the easy mark, and the proverbial low-hanging fruit (if they wanted to work hard, they’d have real jobs, right?). If you follow the steps given here, you can venture online — and to the coffee shop — confidently, knowing you’ve removed yourself from the “easy mark” category.
Cyrus Grant is a writer from Southern California with a background in law and dispute resolution. When he isn’t writing, he can be found deep-diving into the latest technology trends or simply spending time at the beach.