What is shoulder surfing? And how to avoid it

Cybercrime is more profitable than ever before. In 2023, the FBI saw a 10 percent increase in complaints and noted that the amount of money lost to online criminals has doubled in just two years. The silver lining is that this led to a renewed focus on cybersecurity, with most organizations offering some form of mandatory training. However, if we focus too hard on preventing the most modern attacks, we often forget to counter simple tactics like shoulder surfing. Make no mistake: this rudimentary approach to data theft remains extremely dangerous.

The good news is that you don’t need fancy software or technical expertise to prevent shoulder surfing; you just have to be aware of your surroundings and make yourself an unappealing target. Below, we’ll let you know what to look out for and recommend a few ways to make stealing your login credentials as difficult as possible.

What exactly is shoulder surfing?

Shoulder surfing is when somebody watches your screen and/or keyboard to see what you type. This could happen at an ATM, coffee shop, or office, but the attacker’s goal is always to discover information that allows them to access your accounts.

Since this approach requires close proximity to the target, it’s usually an opportunistic crime but one that offers a decent payday for anyone who manages to pull it off. Additionally, shoulder surfing tends to happen in places where lots of people are in close proximity, making it difficult to know if you’ve been targeted until it’s too late.

Why is shoulder surfing a problem?

After stealing your login credentials, hackers can use your accounts to learn more about you and may even be able to transfer funds or make purchases without your knowledge. Additionally, once an attacker accesses one of your accounts, it becomes exponentially easier to break into others. For instance, if your email is compromised, they can reset your password on any site that’s linked to that email address. They could also lock you out, preventing you from taking back control or reporting the breach using the site’s built-in systems.

There are other issues, too. The attacker may not even use the stolen login credentials for months, preventing you from realizing anything is amiss. You can’t rely on automated fraud-prevention systems either; unauthorized logins are unlikely to be flagged as suspicious since the culprit is usually in the same city as you.

How can I protect myself against shoulder surfing?

The best way to prevent shoulder surfing is to think about who can see your screen and be mindful about how you use your computer in public. If possible, sit against a wall, away from other people, to minimize the risk of anyone being able to see what you type. You may also want to obscure your keyboard by covering the keys with your hand or using something like a bag to obscure an attacker’s line of sight.

Never leave your PC unattended in a public place. If you have to (for instance, if you’re using an office PC), then be sure to lock it before leaving. Don’t give personal information over the phone either, since anyone nearby could listen in. We strongly recommend setting up two-factor authentication on any accounts that allow it. This ensures that even if someone does steal your login details, they can’t actually use them without access to your email, phone, or authenticator app.

Longer, more complex passwords are always a good idea too – if even a single character is incorrect, the attacker won’t be able to log in. You won’t even have to remember these yourself, since there are tons of free password managers available that can help you create and store unique passwords for every site you use.

Other privacy issues to be aware of when browsing in public

Unfortunately, nosey people aren’t the only problem you’ll face while using your devices in public places. Hotspot owners can see everything you get up to online or insert tracking cookies into the pages you visit, for instance, and it’s extremely simple for attackers to trick you into using a fake network with a similar name.

Luckily, you can prevent all of these issues by connecting to a Virtual Private Network (VPN). These encrypt your traffic, rendering it unreadable, so even if you do inadvertently use a network owned by a data-hungry operator, your activities will remain private. Many providers now offer automatic ad and tracker-blocking too, allowing you to protect yourself against some of the internet’s most intrusive annoyances.

TRY OUR TOP-RATED VPN RISK-FREE

NordVPN is offering a fully-featured risk-free 30-day trial if you sign up at this page. You can use the VPN rated #1 by Comparitech with no restrictions for a month.

There are no hidden terms—just contact support within 30 days if you decide NordVPN isn't right for you and you'll get a full refund. Start your NordVPN trial here.

Frequently Asked Questions

Do privacy screens prevent shoulder surfing?

You may have heard of privacy filters, which are essentially a layer of plastic that goes over your screen to prevent people from viewing it unless they’re standing directly behind you. The problem is that these are generally fairly expensive and your window can still be seen clearly from up to three meters away.

So is a privacy screen worth it? That depends – if it’ll make you feel safer, go for it. Just be aware that they’re not a complete solution to the problem of shoulder surfing. The best defense will always be vigilance and good digital hygiene, neither of which will cost you a cent.

What info can an attacker find by watching my screen?

Generally, shoulder surfers will be looking for passwords and PIN numbers, but if they’re resourceful enough, just about anything could be useful. The exact information they see will depend on which sites you visit, but email addresses, phone numbers, usernames, passwords, or bank account numbers are all extremely valuable.

Sometimes, criminals will take a less direct approach. For instance, if they see you browsing Facebook, they could note down the names of people you follow and contact them claiming to know you. Alternatively, they could email you claiming to be from Starbucks, your office, or wherever they saw you, knowing that you’re more likely to reply, having actually visited that place recently. Despite being such a basic form of attack, shoulder surfing gives someone many different ways to hurt you, and as such, it should never be underestimated.

What should I do if one of my accounts has been breached?

Having an account accessed without your permission can be extremely scary but it’s important to take a deep breath before you react. First, verify that it’s actually been breached: a common tactic is to send a phishing email asking you to reset your password, which then leads to you giving your login details away.

Assuming the breach is genuine, change your password (assuming you’re able) and if you’ve used the same password on other sites, change those too. If you can’t, contact the site’s support team directly and let them know what has happened. This kind of thing happens every day and there’ll definitely be a protocol in place to limit the damage. You may also want to alert your bank, credit card provider, or payment processor if the account has access to financial data. Finally, though it might be embarrassing, it’s vital you report the crime to authorities; if you don’t, there will very likely be other victims.

	Our Score	Our Verdict
1. 4.5/5
Verdict: Best VPN for changing Netflix region
1.	4.5/5	Best VPN for changing Netflix region	Get NordVPN »
Get NordVPN »
2. 4.5/5
Verdict: Best budget option
2.	4.5/5	Best budget option	Get Surfshark »
Get Surfshack »
3. 4.5/5
Verdict: Highly versatile
3.	4.5/5	Highly versatile	Get ExpressVPN »
Get ExpressVPN »
4. 4/5
Verdict: Easy to use
4.	4/5	Easy to use	Get CyberGhost »
Get CyberGhost »
5. 3/5
Verdict: No connection limit
5.	3/5	Unlimited devices	Get IPVanish »
Get IPVanish »