Shoulder Surfing: Stealing Secrets in Plain Sight

Password Attack
Ronan Mahony
Dec 15, 2023
Shoulder Surfing: Stealing Secrets in Plain Sight

In today’s digital world, the passwords and codes people use to access accounts and apps are vulnerable in many ways; one of those ways is shoulder surfing in which malicious individuals observe sensitive information being entered or displayed on a system or screen. In contexts ranging from ATMs where PINs unlock a world of financial information to corporate settings where a single password is often the gateway to valuable enterprise data, the risks of shoulder surfing are potentially far-reaching. This article provides a deep dive into what shoulder surfing is, how it works, and how to prevent it. 

What is Shoulder Surfing?

Shoulder surfing is a rather rudimentary method used by threat actors to obtain secrets like passwords, PIN codes, and confidential information. This type of attack lacks any of the high-tech glamor associated with hacking. Instead, shoulder surfing operates on the principle of plain unadulterated observation.  

At its core, shoulder surfing involves someone with malicious intent looking over a person’s shoulder, eavesdropping on conversations, or even using binoculars to snoop on sensitive information. Catching a glimpse of a password being entered into a laptop or even noting down confidential details displayed on a workstation are common examples. 

For a threat actor, the ease of execution in a shoulder surfing attack is enticing. With minimal effort and virtually no cost, malicious individuals can gain access to information that they can use for financial gain, identity theft, or corporate espionage. When targeting individuals with access to high-value information or account privileges, the potential rewards are substantial. 

From a psychological standpoint, shoulder surfing exploits the natural tendency to let one’s guard down amidst the hustle and bustle of daily work or personal lives. This guard lowering comes in the form of believing that no one is particularly interested in one’s mundane activities. Unfortunately, this false sense of security is precisely what the shoulder surfer exploits. 

Moreover, the casual nature of the act, which requires no special gadgets or software, often means victims are oblivious to the invasion of their privacy until it’s too late. In a world where discussions increasingly focus on sophisticated cyber threats, it’s crucial to remember and guard against the simple, low-tech dangers that persist.  

The Shoulder Surfing Attack Process

While it might be a low-tech type of attack, it’s still helpful to understand the shoulder surfing attack process in a granular way as this helps inform intervention strategies. It’s also worth noting that experienced cybercriminals usually follow a systematic approach to maximize their chances of success. 

    1. Target Selection—in choosing someone worth snooping on, threat actors might focus on people who seem easily distractible or individuals displaying signs of access to useful information (e.g. wearing an employee badge from a well-known company). Crowded places like subways, buses, cafes, and airports are ideal since people are more likely to use their devices and the attacker can easily blend in. It’s also worth noting that malicious insiders are also potential perpetrators of shoulder surfing attacks, and they can and do occur in an office environment. 
    2. Observation—The most straightforward method is direct observation where the attacker simply watches the chosen target’s screen and keypad actions. To seem inconspicuous, the attacker might pretend to be engaged in other activities, like reading a newspaper or talking on the phone. Indirect observation by using binoculars, zooming features on modern smartphone cameras, and even reflections from windows, mirrors, or tabletops is also possible. 
  • Information Retrieval—After observation, it’s important to be able to retrieve what’s been observed. Some adversaries rely on pure memory for retrieval, especially for short sequences like PIN codes. Other ways to retrieve the observed info include using a body camera, recording device, or writing down longer sequences on a notepad. 
  • Information Use—The final step is putting the information acquired during a shoulder surfing attack to use. This might include accessing an account and initiating unauthorized transactions or selling high-value employee credentials on the dark web. 

Implications and Consequences

Sometimes the secrets that intruders upon privacy observe are nothing more than credentials to a social media account. But other times, the password that a savvy hacker spies on by lurking over someone’s shoulder might provide the veritable keys to the kingdom of a company’s most sensitive data. Here is a brief run-through of some shoulder surfing implications affecting people and companies alike:

  • Financial loss is a particularly common outcome. In one 2023 shoulder surfing incident, a man lost 70,000 GBP from personal and business bank accounts on a night out. These losses come from either unauthorized purchases or account takeovers that transfer large chunks of cash. 
  • Identity theft is another issue. Hackers can combine gleaned information with other data to create detailed profiles that help them impersonate victims. With sufficient details, they can open bank accounts, take out loans, or apply for credit cards in the victim’s name.
  • Data breaches are a particularly unsavory outcome of some shoulder attacks, with huge impacts on businesses and individuals. If the chosen target accesses company accounts or apps, stealing their password could well lead to compromises of company databases containing sensitive information. 

    Preventing Shoulder Surfing

    Simple actions and increased awareness can prevent people from falling victim to shoulder surfing. Here are practical tips and best practices to help individuals defend against these invasive observations:

    • Before entering or viewing any sensitive information, always take a moment to assess your environment. Be aware of anyone standing too close or appearing overly interested in what you’re doing.
    • If possible, position yourself against a wall or in a corner when using devices in public to reduce the number of angles from which someone can observe you.
    • Use your free hand or body to shield the keypad when entering PINs at ATMs or payment terminals.
    • Invest in privacy screen protectors for smartphones, tablets, and laptops. These screens allow the device’s display to be visible only to the person looking directly at it by obscuring the view from side angles.
    • Reduce your laptop and smartphone screen’s brightness when in public areas to make it harder for onlookers to figure out what’s on your screen. 
    • Consider using password manager tools on desktops and laptops for password entry with automated inputs, so you’re not manually keying in details. 
    • Use fingerprint sensors or other biometric authentication features where available as these bypass visible data entry. 
    • Be wary when inputting or viewing sensitive info on any device for distractions like questions, sudden noises, or other tactics that cunning cybercriminals might deploy.

    By integrating these practices into daily routines, individuals can greatly reduce their vulnerability to shoulder surfing. 

    Shoulder Surfing in the Digital Age

    It’s worth considering briefly the influence of the digital age on shoulder surfing. This silent threat stretches back to the days when people peered over shoulders to decode calling card digits and either re-use them or sell them for cheaper prices. The dawn of the modern digital age marked by the common use of touchscreens and electronic devices that access business, personal, and societal services has transformed the way shoulder surfing is executed.

    The popularity of touchscreens has introduced gesture-based inputs, such as swipes, patterns, and taps. While these methods offer user convenience, they also present a visual pattern for observers. For example, a pattern lock on a smartphone might be more easily deciphered from a distance than a traditional PIN. Today’s screens are also sharper, brighter, and clearer than ever, which makes it easier for people to spy on information, even from a distance. 

    Increased reliance on mobile devices for transactions gives lurkers more chances to shoulder surf. The rise of digital wallets, online banking, and mobile payments means that sensitive financial transactions now often occur in public spaces. Urban settings in particular are often crowded; think of subway trains during rush hour or bustling cafes. Being in crowded locations makes it hard to maintain privacy on the bright screens that people use.

    Countermeasures and Security Awareness

    Shoulder surfing is one of the many ways that a data breach could occur. From a business standpoint, the impact of an employee’s password being spied on over their shoulder can cause millions of dollars of damage if access to their account leads to a data breach. The most recent estimate from 2023 puts the average loss to companies at $4.45 million per data breach. Unlike other password-based attacks that leave digital footprints, shoulder surfing is a physical act that IT admins or security teams can’t trace (until they possibly observe suspicious logins). 

    Furthermore, as companies integrate technology and remote work environments, they face an increased risk from threats like shoulder surfing. With this in mind, here are some countermeasures worth considering for organizations to manage what is a pressing security risk.

    • Just as people might use privacy screens for personal devices, organizations can invest in these for employee monitors, especially those in high-traffic or open-office plan areas.
    • Use multi-factor authentication (MFA) for system access. By combining something the user knows (password) with something they have (smart card or mobile device) or something they are (biometric data), the chances of a breach through shoulder surfing go way down because spying on the password alone doesn’t suffice to gain access.
    • Implementing short inactivity timers that automatically lock screens can prevent unauthorized access and viewing of sensitive information in the event an employee steps away without securing their workstation or company-sanctioned remote work device. 

    Ultimately, though, security-aware employees are the first line of defense against shoulder surfing. Regular training equips employees with the knowledge that prying eyes often seek out secrets via shoulder surfing and how to prevent it. Interactive scenarios, simulations, and real-life examples help drive home the importance and methods of prevention. Lastly, strategically placed reminders in the form of posters, screensavers, or stickers encourage employees to guard against shoulder surfing. 


    The proliferation of high-resolution screens, mobile transactions, and touchscreen gestures has expanded the opportunities for shoulder surfers. Spaces like open floor offices, busy cafes, and public transport present a heightened risk. Here, people frequently conduct digital transactions and display sensitive information on devices without thinking twice about the risk of observation.

    Individuals can shield PIN entries, use privacy screens, and maintain spatial awareness to guard against shoulder surfing. Organizations can implement technological measures such as privacy screens, automatic screen locks, and password managers. Crucially, training and educating employees about the risks and prevention strategies for shoulder surfing is effective. 

    Moving away from reliance on passwords to biometrics-based authentication solutions presents a promising future in mitigating shoulder surfing risks. Multi-Pass by Kelvin Zero uses biometric technology to authenticate users. The smart card includes a fingerprint sensor and contactless technology to prove proximity and enable users to easily authenticate themselves with a single tap so that prying eyes have nothing to observe that they can use to access an account or service.

Ronan Mahony

Ronan Mahony is a seasoned content writer who specializes in cybersecurity topics. With a knack for breaking down complex subjects into engaging and informative blog posts and articles, Ronan is dedicated to making cybersecurity accessible to a wider audience.