What Is Shoulder Surfing?

Quick Answer

Shoulder surfing is when identity thieves glance over your shoulder and steal your personal data, such as your login details for a bank or credit card account or bank PIN.

A hooded man using a laptop on a rooftop seating area.

As its name suggests, shoulder surfing is a method of identity theft where thieves steal your personal data while spying over your shoulder. Unfortunately, it's fairly easy for prying eyes to look over your shoulder in any public place to steal your data as you use your smartphone, laptop or any other device.

Shoulder surfing is a type of social engineering in which thieves attempt to obtain your personal data like personal identification numbers (PINs) and passwords. Not surprisingly, the consequences of a shoulder surfing attack can be severe, such as your sensitive information being sold on the dark web or an attacker gaining access to your bank account and stealing your funds.

Thankfully, protecting yourself against shoulder surfers is straightforward and can thwart many would-be thieves.

When Does Shoulder Surfing Happen?

Despite its name, shoulder surfing can happen whether someone is standing directly behind you or far away using binoculars, a telescope or even a video camera. Anytime you're sharing personal information on your laptop, tablet or other device in a public place, be aware that snoopers may be trying to steal your data.

Here are some common places and scenarios where shoulder surfing might occur:

  • At an ATM: You're getting cash at an ATM. You feel safe because the man behind you is 10 feet away, looking at his phone. In reality, he's recording your finger movements to decipher your PIN.
  • At work: Whether you're in an open office area or a meeting room, someone might casually look over your shoulder and view what you're typing or reading. For example, you could be filling out employment forms on a computer in the human resources office while a nearby coworker views you entering your Social Security number or other sensitive information.
  • At a coffee shop: Coffee shops are hubs of computer activity, with patrons using their laptops, mobile phones and other devices—a fact not lost on identity thieves. Even if you use a virtual private network (VPN) to encrypt your data, someone nearby could quickly glance over, see you log in to your bank or credit card account and copy your information.
  • At the airport: Your flight is delayed, so you grab your laptop to do some online shopping. Excited to find an item you want is on sale, you don't notice the woman nearby staring at your screen as you input your credit card information.
  • At a restaurant or bar: While waiting for your date at a crowded restaurant, you log on to Instagram. The person next to you catches you entering your password, which happens to be the same one for your email and bank accounts.

How to Know if You're a Victim of Shoulder Surfing

If you're a victim of shoulder surfing, the consequences can be far-reaching and damaging to your bank account and financial health. For example, a cybercriminal could sell your data on the dark web or use it to take over your bank and credit card accounts. With enough information, a fraudster might persuade your card issuer to add them as an authorized user or have your bank mail them a checkbook.

In the most serious cases, shoulder surfing can lead to identity theft. In that case, a thief could use your Social Security number and other personal data to open new credit and loan accounts, rent an apartment and apply for jobs, all in your name. They could even intercept your tax refund and use your medical insurance.

If a thief manages to make a couple of unauthorized purchases, you can typically spot them on your statement and quickly correct the problem with your card issuer. But if the fraud isn't discovered right away, it could have major long-term fallout. Keep an eye out for these red flags that could signal you are a victim of shoulder surfing.

  • Unrecognized purchases: Check your statements to spot any purchases you don't remember making. According to the 2024 Credit Card Fraud Report and Statistics from Security.org, 60% of debit and credit card holders have had suspicious transactions made by an unauthorized cardholder.
  • Alerts from your bank or card issuer: Pay special attention to any unusual activity alerts you receive. Early detection can help mitigate damages inflicted by a shoulder surfer or thieves using other shady techniques.
  • Bank account withdrawals: An unexpected withdrawal could be a sign of identity theft. Report any unauthorized withdrawals to your bank immediately.
  • Password changes: If you receive a notification about an attempted password change to an account, it could be a sign of identity theft. In that case, change your passwords immediately and enable multifactor authentication.

How You Can Protect Yourself Against Shoulder Surfing

Fortunately, you can protect yourself from a shoulder surfing attack by implementing a few simple tactics when accessing or entering sensitive personal information on your devices in public areas:

  • Protect your screen. The most direct way to thwart a shoulder surfer is to block any view of your screen. Ideally, look for a place where your back is against a wall. Consider adding a privacy protector screen to obscure the screen's contents for good measure. If you're using an ATM, position one hand over the keypad to prevent snooping eyes from memorizing your PIN.
  • Create unique passwords. According to an Identity Theft Resource Center survey, 85% of respondents said they reuse passwords on multiple accounts. Unfortunately, if someone gains access to one of these passwords, they could expose each of those accounts to fraud. If you don't want to remember dozens of passwords for your accounts, consider using a single sign-on password manager app to simplify the process of securing your accounts.
  • Bolster your account security. Thankfully, there are a number of quick and easy ways to fortify your account security. In addition to using a password manager, enable multifactor authentication and biometric authentication (fingerprints, voice or face recognition) to make it that much harder for thieves to access your accounts.
  • Don't access personal accounts in public. Perhaps the best way to make sure your personal data isn't compromised in public areas is to set a personal policy never to access or enter sensitive information in public areas. Even if someone looks over your shoulder or uses binoculars or other vision-enhancing tools from afar, it won't matter if you aren't entering any sensitive information to begin with.
  • Keep quiet. It may be tempting to handle a personal matter with your bank or credit card issuer over the phone while you're watching your child's soccer practice; however, it's not a good idea to share personal data on your phone when you're in public places. Just as someone can look over your shoulder to view private information, someone within earshot can hear it with almost no effort.

Identity theft can take months or years to straighten out, requiring you to make endless phone calls, take time off work and pay for services or reports needed to reclaim your identity. Being aware of your surroundings and taking precautions when you're online in public can help you avoid falling victim to shoulder surfers.

Keep an Eye out for Unusual or Unauthorized Activity

You never know when a shoulder surfer could be near, ready to steal your personal data. Protecting yourself using the tactics above can limit the opportunities for a shoulder surfing attack.

Check your bank and credit accounts regularly for suspicious activity. While you're securing your accounts, you might consider getting a free dark web scan or privacy scan to see if any of your personal information is for sale online and discover how to better safeguard your data.