What Is Shoulder Surfing?

What Is Shoulder Surfing? loading="lazy"

Through April 20, 2022, Experian, TransUnion and Equifax will offer all U.S. consumers free weekly credit reports through AnnualCreditReport.com to help you protect your financial health during the sudden and unprecedented hardship caused by COVID-19.

The term shoulder surfing might conjure up images of a little surfer "hanging ten" on your shirt collar, but the reality is much more mundane. Shoulder surfing is a criminal practice where thieves steal your personal data by spying over your shoulder as you use a laptop, ATM, public kiosk or other electronic device in public. Despite the funny name, it's a security risk that can cause a financial wipeout.

The practice long predates smartphones and laptops, and goes back to when criminals spied on pay phone users as they punched in their phone card numbers to make calls. From there, thieves moved to observing their victims key in PINs while using ATMs, paying for gas at self-service pumps or even making a purchase in a store.

When Does Shoulder Surfing Happen?

Shoulder surfing can occur anytime you're sharing personal information in a public place. That includes not only ATMs, payment kiosks and PIN pads, but just about any place where you use a laptop, tablet or smartphone to input personal data.

The original shoulder surfers usually didn't loom over their victims' shoulders to scope out information. Instead, they stood a safe distance away and interpreted finger movements as people typed in numbers on a keypad. Similarly, today's shoulder surfers often escape notice as they quietly observe others in public places like airport lounges and shopping centers, bars and restaurants, on trains or subways, or anywhere people are out and about.

While you may feel safe from shoulder surfing because there's no one right behind you at the ATM, today's sophisticated criminals often snoop from afar. They might use high-powered binoculars, miniature cameras, or the camera on their own phone or tablet to peer at your screen or keypad. They could be eavesdropping (sometimes using powerful microphones) as you read off credit card numbers over the phone or provide your Social Security number over the phone. Often, the criminals snap photos, take a video or record audio of the information and save it to interpret later.

Here are some common places where shoulder surfing might occur:

  • At a bar: You're at a crowded restaurant bar waiting for your date. To pass the time, you log into Instagram. Unfortunately, you don't realize the person jammed up against you is eyeing your password—which happens to be the same password you use for your email account and bank account.
  • At an ATM: You're getting cash at an ATM. You feel safe because the man behind you in line is at least 10 feet away, looking at his phone (or so you think). Actually, he's recording your finger movements on his phone and will quickly decipher them to get your PIN number.
  • At the airport: Your flight is delayed, so you grab your laptop and kill time in the airport lounge with a little online shopping. You're so excited to discover the shoes you've been eyeing are on sale, you don't see the woman a few seats away staring at your screen as you input your credit card information.

What Are the Consequences of Shoulder Surfing?

Using your credit card information to make fraudulent purchases is just one example of the damage shoulder surfers can do. The more personal information a criminal captures about you, the more far-reaching the consequences can be for your bank account and your financial health.

For example, if you use a debit card at an ATM where thieves have installed a card skimmer, they may be able to capture both your PIN and your account number and gain access to your bank account. If a criminal sees your smartphone PIN and gets hold of your phone, they could access all the account information, payment card data and passwords stored on it.

One or two fraudulent purchases can be quickly spotted and easily corrected by issuing you a new credit card. But if the fraud isn't discovered right away, it could have major long-term fallout. Shoulder surfers may also sell your data on the dark web.

At worst, shoulder surfing can expose you to identity theft. A criminal may use your personal information, such as your Social Security number, to open new credit accounts, apply for loans, rent apartments or apply for jobs under your name. An identity thief could get their hands on your tax refund, use your health insurance to get medical care or apply for government benefits under your name. They might even commit a crime and provide your personal information when questioned by police, leaving you with a criminal record or a warrant for your arrest.

Identity theft can take months or years to straighten out, requiring you to make endless phone calls, take time off work and pay for services or reports needed to reclaim your identity. The financial and emotional toll can be huge, while your credit score potentially suffers in the meantime. A credit history affected by fraud and identity theft can make it harder to rent an apartment, buy a home, finance a new car or even get a job.

Steps for Preventing Shoulder Surfing

As you can see, there are many reasons to be concerned about shoulder surfing. Following these steps can help protect you from shoulder surfers.

  • Get physical. If you must enter a password or PIN on a mobile device in public, stand or sit with your back against a wall. When using an ATM or PIN pad, shield the keys from view with your body and your other hand. If there's no way to avoid sharing credit card numbers or other sensitive data over the phone, move away from others and speak quietly, shielding your mouth with your hand. Put privacy protector screens on your laptop, tablet and smartphone. While this won't keep thieves from spying on what you type, it can prevent them from seeing which account you're logging into.
  • Avoid reusing passwords. Two-thirds of Americans in a Harris Poll last year admit to reusing passwords for more than one account. Doing so can multiply the fraud that could result if that password is compromised. If a shoulder surfer gets hold of a password you've used and your email address, they can try them with hundreds of websites and services. This could result in them gaining access to more of your accounts. Use password manager apps to generate secure passwords (random strings of letters, numbers and symbols) and store them securely to ensure you never reuse a password. Since the password manager logs in for you, you don't have to type anything, so there's nothing for shoulder surfers to see—just make sure to protect your master password well.
  • Take advantage of technology. It doesn't matter how secure your passwords are if someone can see you typing them. Employ the facial recognition or fingerprint logins some apps offer on laptops and mobile devices to access your data without the need to input PINs or passwords. Use contactless payment apps to pay without keying in PINs.
  • Don't log in to sensitive accounts on public Wi-Fi or shared devices. Shoulder surfers aside, it's never a good idea to use public Wi-Fi or shared devices (such as computers at the public library or tablets on display at the Apple Store) to log in to your personal accounts or shop online. Public Wi-Fi networks are vulnerable to hackers who can tap into the connection and steal your data.
  • Use two-factor authentication. Two-factor authentication requires a second form of identity verification in addition to your password. For example, your bank might send you a one-time code to log in that's only good for a few minutes. Even a thief with your password or PIN can't get them into your bank account without inputting the code. Two-factor authentication can slow down access to your accounts, but protecting your sensitive data is worth the delay.
  • Watch for warning signs of foul play. The earlier you spot signs of fraud or identity theft, the faster you can act to address it. Review your credit card, bank account and other financial statements every month. Look for anything that appears suspicious, such as a transaction with a company you don't recognize or a withdrawal from an ATM in a strange city. If you have financial accounts or store accounts you rarely use, log in occasionally and consider removing saved payment information.

Monitor Your Credit Regularly

Checking your credit report is free, and you can get it through AnnualCreditReport.com or directly from Experian. Doing so regularly can help you spot potential fraud and identity theft. Staying on top of your credit report is easy to do when you sign up for free credit monitoring. Experian's free credit monitoring service alerts you of new inquiries and accounts, changes to your personal information, and suspicious activity on your Experian credit report.

If you've fallen victim to fraud, or suspect you may have, consider adding a fraud alert to your credit reports. A fraud alert (also called a security alert) notifies lenders to take additional steps to verify your identity before processing applications for new credit cards or loans in your name. Placing a fraud alert at any one of the three major credit bureaus—Experian, Equifax and TransUnion—automatically places it at all three.

Shoulder surfers can pose a threat to your personal data. Using a credit monitoring service—and a little common sense when you're in public—can give you the peace of mind to "hang loose."