Imagine you’re at a coffee shop, typing your banking password, or responding to an email. Behind you, someone is shoulder surfing, i.e., silently stealing every keystroke. No hacking tools—just sharp eyes and bad intentions. Within minutes, your private data is theirs.
In a world where a stolen password can drain accounts and hijack identities, shoulder surfing is one of the easiest yet most overlooked threats. The worst part? You won’t even know you’ve been compromised—until it’s too late.
In this guide, we’ll cover everything you need to know about shoulder surfing, including:
- what shoulder surfing actually is;
- how to spot and prevent shoulder surfing attacks;
- what you can do to protect your devices.
Let’s explore.
What is Shoulder Surfing?
First things first, let’s define shoulder surfing.
As the name suggests, shoulder surfing is the practice of stealing sensitive information by looking over another person’s shoulder.
This could be for example while:
- you enter your iPhone PIN on the bus to check your emails;
- your enter credit card number on the train to make an online purchase;
- you enter your debit card PIN at an ATM to retrieve some cash.
Technically speaking, shoulder surfing is not illegal. However, it is the first step toward identity theft and financial fraud. That is why it is crucial to understand the scenarios where it might happen, and how you can protect yourself.
One of the key differences between shoulder surfing and phishing or baiting is that shoulder surfing happens in the physical world.
The defense methods will therefore be very different from phishing for example where you might need a strong anti-spam filter.
Examples of Shoulder Surfing
Unfortunately, there aren’t many documented, high-profile cases of shoulder surfing. This is because shoulder surfing attacks do not leave a digital trace such as scareware attacks.
The leading study on the topic is titled “Understanding Shoulder Surfing in the Wild: Stories from Users and Observers” and was conducted by the Ludwig Maximilian University of Munich in Germany.
In this study, a user survey of 174 individuals looked at real-world scenarios of shoulder surfing. The findings concluded that most shoulder surging instances are opportunistic (i.e. not planned), but that there were cases where sensitive information was observed without consent.
It’s important to note that shoulder surfing is not just a security consideration: it’s also a privacy one.
Besides a password and PIN, an onlooker might be seeing private information, such as appointments, family pictures, etc. And here at Mailfence, we have always advocated for strong privacy, whether online or offline.
It is our opinion that strong privacy protections are fundamental to a free and democratic society. Privacy is a basic human right, and we should protect it at all costs. And this includes protecting ourselves against shoulder surfing.
Let’s now look at some of the most common cases where should surfing happen.
ATM cash withdrawal
ATMs are one of the most common places where shoulder surfing attacks can occur. Scammers might be hanging around, hoping to see you type in your PIN.
Alternatively, they might be using small hidden cameras, or even use binoculars.
To protect yourself against this, always stand as close to the ATM as possible when entering your PIN. Use your second hand to hide your PIN. And if you see any suspicious person hanging around, pick another ATM.
Public transport
If you have a long daily commute by train or bus, you might have a habit of opening up your laptop and getting some work done.
However, using your laptop or smartphone in crowded buses or trains often exposes your screen to nearby strangers.
Attackers can discreetly glance over your shoulder to capture login credentials, payment details, or even private messages. In the worst-case scenario, a cybercriminal on a train could memorize your banking PIN, and later use it to withdraw money.
Co-working spaces
Finally, with the rise of remote work, co-working spaces have become the new normal for many people.
However, there are risks to working on confidential documents or accessing sensitive accounts in shared workspaces.
In open co-working spaces, you never know who could be watching from a distance. What’s more, some co-working spaces don’t even have security checks at the entrance, meaning anyone can just walk in.
What’s more, the Wi-Fi might not be properly secured. Data transmission might be unencrypted, rendering data like files and passwords vulnerable. The password might also be too weak, allowing for unauthorized access. This is why we always recommend using your cellular network when possible.
However, you might not always have this choice. Likewise, you might be forced to work during your train commute. So how do you prevent shoulder surfing in those cases where you don’t have a choice? That’s what we’ll explore in the next section.
How to Prevent Shoulder Surfing?
There are many mitigating strategies you can use to prevent shoulder surfing.
- The first and most obvious strategy is to be aware of your surroundings. Make sure to look around before typing your PIN at an ATM: this small act will often discourage a potential shoulder surfing attack.
- While at an ATM, make sure to select “Exit” when you are done. Some ATMs don’t require the card to be in the ATM when making an additional transaction, so the shoulder surfer can simply step in behind you and re-enter your PIN to withdraw cash.
- Do you enjoy working in coffee shops? Then make sure to pick a seat with your back turned to the wall. This will drastically reduce the risks of a shoulder surfing attack.
- Need to share sensitive information over the phone? Make sure to lower your voice and cover your mouth. Ideally, send the information over text message or with an encrypted email.
- Never EVER leave your laptop unattended. Always lock your screen and close your laptop if you need to leave your space. And if you are in a public place, simply keep your laptop on you at all times to avoid theft.
- Use biometric authentication instead of PINs and passwords. This means face recognition (Face ID) or using your thumb (Touch ID) to unlock your iPhone for example.
- Always enable 2FA on accounts that support it, such as Mailfence for your emails. 2FA adds another layer of security to your account. Even if an attacker has access to your login credentials, they will be unable to connect to your accounts.
- Use contactless payment. Instead of entering a PIN, use contactless payment apps whenever possible. Many payment terminals will also let you tap your card for small amounts without entering your PIN.
Shoulder Surfing: Advanced Prevention Techniques
The previous section covered some basic habits everyone can use to prevent shoulder surfing. However, if you regularly work in co-working spaces or on the train, you might want to step up your security.
In that case, here are a few additional prevention techniques you can put in place:
- Use a privacy screen protector. Screen protectors aren’t just to prevent the screen from being scratched. some also prevent from seeing what is on-screen when looking at an angle:
- Eyeprint ID is a brand-new technology developed by EyeVerify. This system authenticates users by analyzing unique patterns of blood vessels in the eye. Companies such as Wells Fargo have already integrated it into their mobile banking apps, allowing customers to access their accounts securely using eye vein patterns.
- Disable notifications. Notifications present a major privacy risk because they can display sensitive information from apps or emails, even when the phone is locked.
- Gaze-based authentication: instead of typing passwords, some advanced security systems use eye-tracking technology to authenticate users based on their unique gaze patterns. This eliminates the risk of passwords being stolen through visual hacking. This method is still under development but should see the light of day in the coming years.
- While not yet available, AI-powered privacy apps will soon enter the market. Research is currently underway to enable the use of a smartphone’s front camera to detect unauthorized viewers. If someone other than the user is detected looking at the screen, the display blurs or sends an alert. You can check out this Google patent to learn more.
Shoulder Surfing: Final Thoughts
That’s it for this guide on shoulder surfing! Hopefully, you now have a better understanding of this threat and how to mitigate it.
In summary, it’s important to remember that not every social engineering attack requires an elaborate ruse to get you to reveal your sensitive data. Sometimes, all it takes is not paying enough attention to your surroundings, a moment of distraction, or verbally giving the PIN to someone over the phone.
If you’re looking to bring your online security to the next level, make sure to check out our private and secure suite of tools include emails, online storage, calendar and more!
