What Is Shoulder Surfing? Tips to Protect Your Personal Information

Not all threats to your accounts and privacy happen online. They can happen right next to you. The stranger sitting next to you on the metro, coffee shop, or airport may not be some innocent stranger.

Instead, they could be looking for an opportunity and the right moment to look over your shoulder and steal your passwords or personal information.

Shoulder surfing attacks happen when someone watches you enter sensitive information, such as a PIN or password, into your device or account. Once they see you enter your details, the attacker will use this information to later gain unauthorized access to your accounts.

As these attacks happen in public, they can be just as dangerous as phishing, ransomware, and other cyberattacks, as they can occur without you knowing. Even with advanced security measures on your device..

• What is shoulder surfing?
• How does shoulder surfing work?
• Risks and consequences of shoulder surfing

1. Identity theft
2. Financial losses
3. Data breaches
4. Legal consequences

• Real-world examples
• How to prevent shoulder surfing

1. Be aware of your surroundings
2. Protect your accounts

• What to do if someone steals your information
• Frequently asked questions

1. Is shoulder surfing illegal?
2. What are the signs?
3. What devices are most vulnerable?
4. Is it safe to use my device in a public place?

What is shoulder surfing?

Shoulder surfing is one of many social engineering attacks where a person will spy on you while you enter passwords or pins at cash machines, on your device, or when you enter your passwords on websites.

Although it's one of the few cyberattacks that requires being close to the target, the complexity of how a criminal does this can vary. It can happen by simply observing over your shoulder on a busy metro or using advanced technology such as hidden cameras to observe your activity from a distance to avoid suspicion.

How does shoulder surfing work?

This kind of attack typically starts with the attacker choosing and monitoring a public space while they look for their next target.

Common places include:

• Public transportation (buses, trains, subways
• Coffee shops or cafes
• Airports or train stations
• Libraries or bookstores
• Offices or co-working spaces
• Hotel lobbies or lounges
• Retail stores or shopping malls
• Banks or ATMs
• Public events or crowded places
• Restaurants or fast-food chains

A basic attack would be a criminal standing or sitting close enough to their target to view their screen and watch them type in their account information.

Another example would be a criminal setting up hidden cameras or using advanced binoculars to view screens without attracting attention.

This could happen in hotels, casinos, and busy streets, where people enter their details at an ATM machine. Office buildings could also be at risk, as an attacker may monitor an employee's screen to access sensitive data.

In some cases, the attacker would use more advanced technology to access people’s information using drones or other kinds of remote surveillance equipment in places like hotels or Airbnb.

This technique relies on being near the target and observing them without being noticed. Even though the technology can range from basic methods such as looking over your shoulder to more sophisticated tech like drones.

Risks and consequences of shoulder surfing

Like most cyberattacks, one of the significant risks of shoulder surfing is that you’re unaware it happened until it's too late. Here is what could happen if you’re not careful.

Identity theft

Anyone who views your personal information (usernames, passwords, and credit card information) can use it to steal your identity.

With this information, they can use your account information to make fraudulent purchases online and access your personal accounts, such as your email, which can give them access to more information and extend their attack. Sometimes, they can create new accounts in your name to carry out other forms of identity theft.

Financial losses

If a criminal observes you entering your PIN at an ATM or monitors you during online banking, they could access your credit card details or banking account to make unauthorized purchases or transfers.

These can be difficult to reverse, causing you to lose access to your savings and leading to significant emotional damage and stress.

This attack can, therefore, result in immediate financial losses, especially if a criminal gets access to your mobile banking apps, ATMs, or credit card details. Unauthorized transactions can be difficult to reverse, and victims may face significant monetary damage.

Data breaches

For office workers, shoulder surfing can significantly impact a business. Monitoring the screens of office workers can expose corporate secrets, customer data, and passwords that can give the attacker access to corporate accounts and more confidential information.

Legal consequences

The consequences of data breaches for a company can be severe. This results in a loss of trust in its customer base, plus legal and compliance fees for the company, which could reach millions depending on the severity of the attack.

Real-world examples

Here are some real-world examples of shoulder surfing from across the world.

• Attacks were conducted primarily on pattern-based passwords (64/77 or 83.1%)
• A study of commuters in the UK found that 72%shoulder surfed, although this was mostly out of boredom rather than for fraudulent intent,
• A study from NYU found that 73% of survey respondents indicated they had seen someone else’s confidential PIN without them knowing.
• In 2022, research indicated that strangers were the most frequent observers in public spaces, including cafes.
• In January 2025, two French nationals were arrested for using shoulder surfing techniques to steal bank cards and withdraw funds illegally. They were suspected of 75 other offenses, resulting in a total loss of more than €200,000.
• In May 2024 in the UK, another shoulder surfing example happened when a passenger photographed a confidential memo on a government minister's laptop while on a train.

How to prevent shoulder surfing

It’s possible to prevent and deter cybercriminals from monitoring your activity and stealing your information with the following techniques and tools.

Be aware of your surroundings

In public spaces, try to choose a location with no people behind you or one that is protected by a wall, if possible. If not, you can buy a privacy screen for your phone and laptop.

These are readily available online and make the content on your screen visible only to the person directly in front of it. If anyone tries to look at your screen from a different angle (such as from the side or behind), all they will see is a darkened, blurred, or distorted image.

You should also dim your screen to make it harder to view the content from a distance and set up your device to auto-lock the screen once it’s inactive for a few minutes for additional protection for your devices.

When you’re at an ATM, the best way to prevent people from viewing your PIN is to be aware of who is close to your proximity and shield your PIN using your hands or body.

Protect your accounts

Protect your accounts using strong, unique passwords or passphrases across all your accounts to prevent further unauthorized access.

A more secure option that’s becoming more common is logging in using a magic link, a one-time unique link to log in that prevents hackers from stealing your password. Just ensure you still hide your email login when accessing the message.

Internxt's strong password generator can help create unique, complex passwords and passphrases to make this process easier. Once created, set up 2FA and store your passwords using a password manager.

Attackers may still use other techniques to try and steal your data in public places and wifi spots, so for further protection, use Internxt's encrypted VPN to prevent unauthorized access to your network and more anonymity online.

Finally, continue to monitor your accounts and bank statements for unusual activity, and check if your emails or passwords have leaked online using Internxt's Dark Web Monitor.

What to do if someone steals your information

If you suspect someone has accessed your accounts, follow these steps:

• Change the passwords for all your accounts.
• Notify relevant authorities, such as your bank and the police.
• Inform the necessary people in the workplace so they can take immediate action to prevent a data breach.
• Freeze your credit and cards to prevent criminals from making purchases or adding more credit in your name.
• Check your device for malware using the Internxt Antivirus to ensure attackers haven’t used your accounts to install a virus.

Once you have taken these steps, continue to monitor your accounts regularly and follow the measures we previously discussed to prevent this kind of attack from happening again.

Frequently asked questions

Is shoulder surfing illegal?

Although unethical, watching someone’s screen over the metro isn’t illegal. However, using someone’s information without permission is classified as theft and fraud. Setting up illegal surveillance tools intending to steal information is also illegal.

What are the signs?

Someone standing too close to you, frequently glancing at your screen, or walking past your device repeatedly could signal they are trying to monitor your activity and steal your information.

What devices are most vulnerable?

Laptops, smartphones, and tablets are all vulnerable as people commonly use them in high-risk areas such as cafes or airports.

Is it safe to use my device in a public place?

Using your device in public can increase the risk of someone stealing your personal information, so using a privacy screen and being aware of your environment and who is nearby is recommended.