Sometimes, cybersecurity isn’t about advanced cryptography, man-in-the-middle attacks, and elaborate social engineering. Our online security can also be compromised by some of the oldest tricks in the book – and shoulder surfing is one of the most common of all.

This blog will look at this ancient criminal technique, which is so basic that many people completely forget about it. But the effects of ignoring shoulder surfing can be severe – from huge financial losses when you become a victim of ATM shoulder surfing, to government scandals.

So let’s dive in and help to understand what is shoulder surfing, and what can be done to make it as rare and unprofitable as possible.

What is shoulder surfing? A quick definition

The best place to start is with a shoulder surfing definition. As the name suggests, shoulder surfing involves “looking over the shoulder” of the victim. That doesn’t always mean literally peering over the person’s shoulder when they are at the ATM. But it does mean visually tracking their activity, using a variety of methods.

The aim of shoulder surfing attacks is to gain valuable intelligence. This could be credit card PIN numbers, information about passwords, or corporate plans. In some cases, that information can be used directly to mount shoulder surfing attacks, but attackers can also store it away for more complex identity thefts.

Instinctively, we know about ATM shoulder surfing. From an early age, we’re taught to protect our passcodes and avoid showing people behind us in the queue. But as you can probably tell from this shoulder surfing definition, it isn’t limited to personal banking. Shoulder surfers can strike in all sorts of environments, and we need to be aware of how they operate.

Examples of how shoulder surfing attacks work

To really understand the scale of shoulder surfing, it helps to run through a few real-world examples – and there are plenty.

  1. The subtle ATM surfing theft – one of the most common examples is when thieves nip in after people use ATMs. Sometimes, users are in a rush (well, most of the time, actually). And when we rush at ATMs, we can leave them at the stage where the machine asks us whether we desire another transaction. And that’s where shoulder surfers leap into action. As you turn away, they are instantly pressing “yes” and tapping into your account.
  2. Harvesting passwords in public spaces – another common tactic is to prey on public wifi users in coffee shops, libraries, or bars. In this case, the keys you press could be giving you away, as attentive criminals watch every move your fingers make. It takes practice, but thieves can develop a sense for what people are typing, and all they really need is an approximate idea of what your passwords are to start cracking all kinds of accounts.
  3. Opportunist information – in other cases, people just let crucial information slip without realizing they are doing so. From casual mentions of Facebook passwords to parents telling their kids about credit card details, people constantly betray personal details. And even things like your full name, school, place of work, and address can be valuable. Especially when they are paired with things like discarded mail (another classic old-school criminal target).

Is shoulder surfing social engineering?

As you might have guessed by now, shoulder surfing attacks are very closely related to phishing and identity theft. In fact, the networks of attackers who mount email phishing or social engineering based around fake websites often use these “analog” techniques as well.

So, if you let someone know your bank, address, and name, that’s extremely useful. It means they can create a shoulder surfing social engineering fusion – using data harvested from conversations to write persuasive emails or tailored websites.

This is especially handy for so-called “whale phishing,” where attackers target high wealth individuals. In those cases, it’s worth putting in the extra effort to build detailed profiles of individuals – even if it means running the kind of low-level surveillance shoulder surfing requires.

What can we do? A quick guide to shoulder surfing prevention

Now that we know more about our basic shoulder surfing definition, it’s time to start building a counter-strategy. Don’t be fooled by its old school nature. Shoulder surfing is big business, it’s everywhere, and anyone can become a victim. So it pays to put countermeasures into action. Here are some tips that will make a major difference.

1. Always shield your passwords manually

Firstly, apply common sense techniques when typing in passwords or PINs. Use your spare hand to shield the one that’s doing the typing, and move any POS machines away from people around you. If you’re typing on the computer, make sure you cover your fingers when you type in sensitive information. You don’t have to type everything with one hand and hold a sheet of paper with the other. Just be very cautious with the details that matter.

2. Be aware of potential threats

Another key aspect of shoulder surfing prevention is simple spatial awareness. If you feel that someone in a store or ATM queue is being slightly too intrusive or behaving strangely, don’t ignore it. Take your time, look them in the eye if you’re worried, and make sure that they know that you are concerned. If they are really trying to spy on you, they will probably back off when they realize you’re onto them.

3. Conclude transactions properly

As we noted earlier, people are at their most vulnerable from shoulder surfing ATM attacks when they rush. So take any receipts that are offered to you, and conclude sessions the way the machine intends. Don’t leave any loose ends or documents with personal data. Too many people discard receipts recklessly. Don’t be like them. Rip them or shred them, and do it securely.

4. Boost your cybersecurity measures

Above all, we need to ensure that our overall cybersecurity game is up to scratch. Anyone can let their guard down in public – or be targeted by skillful shoulder surfers. So update your antivirus, invest in a strong Virtual Private Network, and use a password manager. That way, the effects of attacks will be mitigated. Even if you can’t always stop criminals in the act, you can make it less devastating when they strike.

Shoulder surfing may seem primitive, and in some ways it is. But we live in a world where ultra high-tech dangers coexist with simple, easy to ignore hazards. Don’t neglect the simple threats and focus on complexity. You need protection across the board – even when using the ATM or buying groceries at Walmart.