Proton

Cyberattacks(новое окно) aren’t always executed through sophisticated methods like man-in-the-middle (MITM) attacks on public WiFi(новое окно). Sometimes, they rely on something as simple as looking over your shoulder. 

Shoulder surfing attacks are when someone watches you enter sensitive information on your device and uses it to gain unauthorized access. It’s a reminder that despite our advanced technology, we still need simple precautions to stay safe.

Shoulder surfing meaning

Shoulder surfing is a type of social engineering attack in which the attacker physically spies on someone to obtain confidential information such as passwords, PINs, or other sensitive data. This can be done by watching someone or listening to confidential information being spoken (eavesdropping).

A thief could be directly observing you from close distance or use sophisticated methods, such as binoculars, hidden cameras, or smartphones, to capture your information from a distance and remain undetected.

How shoulder surfing can affect you

Shoulder surfing attacks can have serious consequences. For example, if a thief sees your email and password, they can use them to hack into your accounts, steal your identity, or sell your information on the dark web.

By getting hold of your Social Security number, home address, and birthday, a criminal could make unauthorized purchases, open new credit cards, apply for loans, or even commit crimes using your name. You would then have to deal with the fallout by trying to prove that it wasn’t you.

Examples of shoulder surfing

Shoulder surfing usually happens in public, crowded places because attackers can easily blend in and discreetly observe people entering sensitive information without arousing suspicion. Here are some examples:

  • In cafes, people often use laptops, tablets, and smartphones for personal or work-related tasks, so a shoulder surfer might sit at a nearby table or walk past repeatedly. In 2019, a group of about 25 young women were arrested(новое окно) in Amsterdam for shoulder surfing in more than 100 incidents.
  • Airports are filled with travelers frequently using their devices to check flight details, access banking services, or respond to work emails. A shoulder surfer could stand behind you in a queue.
  • Buses, trains, and subways are crowded with passengers sitting closely next to each other. A shoulder surfer could sit or stand next to you or behind you. A 2017 study(новое окно) by LMU Munich found that 67% of shoulder surfing happens on public transport.
  • Shared workspaces used by freelancers and remote employees are risky because you are often surrounded by strangers who could easily observe your screen while pretending to work on their devices.
  • Criminals frequently target ATMs to capture PIN entries using binoculars or pinhole cameras without being noticed. For example, a man in LA was convicted(новое окно) of ATM shoulder surfing in 2018 for obtaining the PINs of unsuspecting bank customers.
  • At checkout counters, especially during busy times, shoppers often enter their PINs or credit card information. A shoulder surfer might pose as another customer, closely observing the keypad as someone enters their details, or even use their smartphone to covertly record the information.

How to prevent shoulder surfing

Staying alert is important to avoid shoulder surfing attacks, but there are many specific ways to protect your privacy and security.

Be strategic with your surroundings

Whenever you’re working with sensitive data in a public place, position yourself in a way that minimizes exposure to prying eyes, such as sitting with your back to a wall. You can also use a physical barrier, such as a privacy hood or screen shield, to block others’ views.

Shield your personal information when entering your PIN at an ATM or grocery shop by covering it with your hand or moving your body. Avoid using your devices or disclosing sensitive information over the phone until you reach a less crowded area.

Make your devices more private

In addition to being aware of your surroundings, you can make your device harder to look at. Rotate your device’s screen away from potential onlookers behind or next to you. Dimming your screen can make it harder for others to see your display from a distance.

In your device settings, you can configure your screen to auto-lock after being inactive for a couple minutes. This is safer than 15 or 30 minutes, which is the default on many devices. That way if you leave your phone out or leave it behind, you’re less likely to have someone break into it.

Additionally, turn off notification previews on your lock screen to prevent sensitive information from being seen by others around you.

Improve your data security

Your logins are your first line of defense against attacks. Create strong, unique passwords(новое окно) since these are harder for shoulder surfers to catch and write down. Avoid reusing passwords across different accounts to minimize damage in case of data leaks(новое окно) and prevent credential stuffing attacks(новое окно). If you suspect you might have been a victim of shoulder surfing, change your passwords immediately.

Crucially, you should enable two-factor authentication (2FA)(новое окно) on all your accounts that support it. By requiring a second identification factor (a code on your authenticator app), you ensure that even if someone learns your password, they still wouldn’t be able to pass the second mode of verification. 2FA is particularly secure because the code changes frequently, making it much harder for anyone to steal and use it.

Set up fraud alerts and regularly check your bank statements and credit reports for any unauthorized activity. Monitor the web to see if your data was leaked, and take action if necessary.

How Proton Pass makes these steps easier

Proton Pass is a secure password manager that can remember all your passwords and auto-fills them on any device, so you’ll never be caught by a shoulder surfer watching your keystrokes. 

It generates random, complex passwords, as well as passkeys(новое окно) to log in to online accounts without passwords.

Proton Pass also includes a built-in 2FA authenticator(новое окно) to use with all your accounts that support 2FA. You can also use Pass Monitor(новое окно) to audit the security of all your accounts — it includes Password Health, which checks for weak or reused accounts, and Dark Web Monitoring, which notifies you immediately if your personal information is leaked on the web.

We protect your data with end-to-end encryption(новое окно) to ensure no one can read your data — not even us. All our apps are open source(новое окно) and independently audited.

Improve your online privacy and security by subscribing for a free Proton Pass account.

Frequently asked questions

What does no shoulder surfing mean?

“No shoulder surfing” means taking precautions to prevent people from looking over your shoulder to see sensitive information you are entering on a device, such as passwords, PINs, or other private data. It signifies being aware of your surroundings and ensuring that no one can easily view your screen or keyboard to steal your personal information.

Is it illegal to shoulder surf?

While the act of merely watching someone might not be a crime in itself, using that information to steal someone’s identity, commit fraud, or gain unauthorized access to accounts or data is illegal. Any form of data theft or unauthorized access to personal information is considered a criminal act.

What is the difference between shoulder surfing and dumpster surfing?

Shoulder surfing involves directly observing someone to obtain sensitive information by looking over their shoulder, usually in public places. In contrast, dumpster surfing (or dumpster diving) means to look into trash bins or dumpsters for valuable information like documents or electronic devices.

Статьи по теме

The cover image for a Proton Pass blog comparing SAML and OAuth as protocols for business protection
en
SAML and OAuth help your workers access your network securely, but what's the difference? Here's what you need to know.
Proton Lifetime Fundraiser 7th edition
en
  • Новости Proton
Learn how to join our 2024 Lifetime Account Charity Fundraiser, your chance to win our most exclusive plan and fight for a better internet.
The cover image for a Proton Pass blog about zero trust security showing a dial marked 'zero trust' turned all the way to the right
en
  • Для бизнеса
Cybersecurity for businesses is harder than ever: find out how zero trust security can prevent data breaches within your business.
How to protect your inbox from an email extractor
en
  • Советы о конфиденциальности
Learn how an email extractor works, why your email address is valuable, how to protect your inbox, and what to do if your email address is exposed.
How to whitelist an email address and keep important messages in your inbox
en
  • Советы о конфиденциальности
Find out what email whitelisting is, why it’s useful, how to whitelist email addresses on different platforms, and how Proton Mail can help.
The cover image for Proton blog about cyberthreats businesses will face in 2025, showing a webpage, a mask, and an error message hanging on a fishing hook
en
  • Для бизнеса
Thousands of businesses of all sizes were impacted by cybercrime in 2024. Here are the top cybersecurity threats we expect companies to face in 2025—and how Proton Pass can protect your business.