What is Shoulder Surfing, And How Can It Cause Identity Theft?
Table of Contents
- By Emmett
- Mar 22, 2022
The FTC received 4.8 million identity theft reports in 2020 alone, an increase of 45 percent from the previous year. There are various ways cybercriminals can steal your identity, whether that be through malicious software, false websites, or other online scams. But what about those who steal your information right in front of you? With shoulder surfing, data theft can occur entirely offline, right under your nose.
What is Shoulder Surfing?
Shoulder surfing, like many methods of data or identity theft, involves stealing confidential credentials and information for online accounts. But unlike other attacks like phishing and malware, basic shoulder surfing requires no skill or monetary investment, and can’t be traced digitally.
The process can be as low-tech as the criminal wants and is performed by simply being near a victim and watching or listening as they use sensitive information.
Shoulder surfing is often employed in public spaces like cafes, airports, or other crowded rooms where individuals engage in activities involving sensitive information. Society has standardized these places as “secondary work areas” where users are more comfortable accessing banking sites, making online purchases, or logging into social media accounts.
The act is widespread but not always intentional. In 2016, a study found that over 70 percent of people stated they’d watched someone else enter their phone PIN. Another study reported that 97 percent of people notice intentional and unintentional shoulder surfing in daily life.
This surveillance can occur any time you input or use account details in person, on a public network, or via a transaction.
What’s the Goal of Shoulder Surfing?
The consequences of shoulder surfing vary from trivial to severe, depending on what the other person sees. If you’re doing anything involving personal or financial information, you’re opening up the possibility of identity theft.
Using what they learn, shoulder surfers can break into your bank account or open one in your name. You’ll take a credit hit when the bills go unpaid, and the fraud could continue for years before you notice a problem. Even if they only see basic details, they could use that information to answer security questions or guess your passwords.
Another goal of shoulder surfing might be to access a victim’s social or professional accounts. The criminal might see someone log into their employer’s servers and access confidential documents. Or they may break into social media accounts to collect more information or damage the victim’s reputation by making dangerous posts.
How Does Shoulder Surfing Occur?
It may seem rudimentary, but shoulder surfing is a very real and easy way for criminals to get your information.
Anytime you input account credentials or access private accounts in a public area, thieves could be nearby. For most instances of theft, you won't even know the person was there at all. Many criminals will observe their victims from a distance, obtaining the information they need and leaving before anyone is the wiser.
When was the last time you carefully studied a bank parking lot before accessing an ATM, looked around for cameras before filling out important paperwork, or checked to see if anyone was watching before swiping your credit card? That's how shoulder surfing happens, usually when you least expect it.
In general, there are two ways shoulder surfing is performed, including:
Shoulder surfers move to get a better view of their target’s screen or keyboard without raising suspicion. Some skilled surfers can deduce what you’re typing just by watching your fingers move. It’s even easier if they just need to eavesdrop on a person’s phone call.
Attackers often pretend to be doing something else, like talking to a stranger, playing a game on their phone, or stretching.
Many people dismiss the possibility that someone is watching them even if they notice suspicious movement from them. Victims tell themselves that they’re being paranoid and allow the surfer to continue monitoring them.
The zoom feature on high-end cameras and phones provides incredible clarity even at far distances. Even low-end devices can accurately capture a keyboard from across the room. Shoulder surfers use these devices to record your screen, hand movements, or keyboard. This allows them to analyze the information later and create a more sophisticated attack.
It’s difficult to notice attackers using this tactic since they’re so far away. It’s getting even more challenging due to how many people are constantly on their phones in crowded spaces.
Here are four common scenarios that can expose you to shoulder surfing.
Getting Some Work Done In a Coffee Shop
You decide to do some work in your local coffee shop and bring your laptop to connect to their WiFi. You log in to their public network and take a moment to pay some bills online. Unfortunately, there are two ways shoulder surfers could get your information here.
One, they could watch as you enter the information, writing it down without you noticing. Two, they could access your computer through that unencrypted public network. Either way, they now have your account details and can use them to engage in fraudulent activities.
Making a Purchase in Public
One of the easiest targets for shoulder surfers is the oblivious shopper. Many credit cards only require a 4-digit PIN to access, and many people don't bother to cover the pad when they enter it.
For example, at the supermarket, you swipe your card and enter your PIN into the card reader. But little do you know, the person beside you, next in line, is pretending to be on his phone. He is actually recording your transaction! Eventually, this person will figure out your card information and use it to their advantage.
Giving Personal Details Over the Phone
You arrive early for an appointment and are sitting in the waiting room of your doctor's office. You get a call from one of your children, and they need to purchase something online for school. Without thinking, you read them your credit card information so they can make their purchase.
Maybe a roommate needs access to your Netflix or Disney+ account to watch a series premiere. Unfortunately, another person sitting in the waiting room hears this and can now use your information to use your credit card themselves.
It’s not just the people around you that you need to worry about. Be careful if the person on the other end of the call is in public. Even if you’re in a safe place, ensure the other person isn’t repeating the information out loud.
Starting a New Job
You've just gotten a new job and are filling out the intake paperwork to start your employment. These documents require many different pieces of personal information, including your name, social security number, address, bank account for direct deposit, and phone number. You sit in a common area while filling out this paperwork, greeting your new coworkers as they pass by. Little do you know, they've seen all of the sensitive information on these forms and can now use them for whatever purpose they would like.
How Can I Prevent Shoulder Surfing?
Using your information in public can't be avoided; there are certain situations that require the input of sensitive data. What you can control are the actions you take to keep that data safe.
Here are a few tips you can use to keep yourself safe from scammers.
Check The Area Before Inputting Information
Whether you are at an ATM, on the phone, or putting in account details in a public area, make sure everything is safe. Look around for suspicious cameras, lingering onlookers, or anything else that may compromise your data.
If you can, find a private place to put in any sensitive information, so you can make sure the only person who sees your accounts is you. It’s better to stand facing a corner for a few minutes than to file a stolen identity report to the Federal Trade Comission (FTC).
Only Use ATMs You Can Trust
Drive a little further to find a secure ATM. Many people know to be wary of gas station ATMs, but the machines outside your local grocery store aren’t safe either. Even if the business they’re attached to is trustworthy.
Outdoor ATMs don’t benefit from the strict security measures banks employ. Any criminal can install a camera nearby or put a chip-scanning device in the card slot. It’s best to take a little more time to find an official location, and reputable banks often have all-day ATM services as long as you have your card on you.
Create Physical Barriers
Block the payment pad or your phone screen with your hand before inputting your login credentials. Anything that limits other people’s viewing angles will work, such as positioning your body between your screen and them. Standing closer to the screen works just as well.
If you’re in an open space and can’t block your screen perfectly, then consider dimming its brightness. This will make it much harder for any onlookers to read what you’re typing accurately.
To help protect your accounts, you can set up multi-layered identity confirmation. Multi-factor authentication involves two separate authentication processes, often asking for a password or PIN along with confirmation via phone or email. This extra account protection means that even if scammers get your password, they won't be able to log into your accounts.
Use Biometric Passwords
In addition to two-factor authentication, biometrics are an excellent way to secure your accounts with extra layers of security. For biometric authentication, your devices will require facial or fingerprint recognition to allow access.
Try Contactless Payment
One of the main ways shoulder surfers get your information is by watching you swipe a credit or debit card. You can eliminate this step by using contactless payment methods, which don't require a password or PIN for purchases. These include Android Pay, Apple Pay, and Google Wallet.
Don't Reuse Old Passwords
For many, remembering different passwords can be frustrating. But reusing old passwords can make it easier for scammers to find and access your accounts. You want to use unique PINs and passwords for each account, so it doesn't affect every other account if one gets compromised.
Consider a password manager if you’re worried about keeping track of multiple randomized passwords. Many free options are available, and most popular browsers come pre-installed with one. These services automatically generate and record strong passwords. They offer top-notch security with industrial-grade encryptions that make them undesirable targets to even the most skilled hackers.
Don't Use Public Networks
Shoulder surfing is not the only way a hacker can get your information out in public. If you access WiFi in a coffee shop, restaurant, or other public networks, these connections are rarely encrypted. Because of this, cybercriminals can easily access any data transferred over that network. If you use your computer to log in to any accounts, these same criminals may have access.
If you have no other choice than to use public networks, then install a virtual private network (VPN) on all your devices. Using a VPN provides enhanced online security and privacy by encrypting your internet connection, protecting your data from eavesdropping, and ensuring anonymity. It safeguards your online activities, especially when using public Wi-Fi networks, and prevents unauthorized access to your sensitive information.
Monitor Your Data For Breaches
Credit and identity theft monitoring are great ways to ensure that your accounts have not been accessed. It isn't easy to know when your data has been breached without monitoring services and failing to notice a breach can result in damage to your credit score and other financial repercussions.
Shoulder Surfing Can Be Stopped With A Few Small Changes
Adjusting your behavior can be frustrating, but nothing is more frustrating than theft. Make sure that any time you are using sensitive information to check your surroundings. Secure your accounts, make sure to use reliable networks, and monitor your data for breaches. By taking these steps, you can keep yourself safe from shoulder surfing and digital fraud.
It doesn’t hurt to check your credit report for any mysterious charges or accounts. Doing so gets you into the habit of periodically assessing your credit’s health. Everyone is eligible for multiple free reports from each of the three reporting bureaus.
Staying on top of this allows you to detect issues early and minimize the harmful effects of identity theft. Rather than letting the criminal abuse your credit for multiple months, you can immediately report the activity and freeze your accounts.