Shoulder surfing: Definition, examples, and how to prevent it

What is shoulder surfing? 

Shoulder surfing is an attack where someone gains access to sensitive and personal information simply by watching you enter it on a screen or keypad. There’s no need to touch your device or break anything. The whole thing depends on being able to see what you’re typing at the right moment — whether a PIN, password, or other sensitive information. Sometimes that means standing close enough to glance over your shoulder (hence the name), though it doesn’t always look that obvious. In other cases, it might involve a phone camera or another device used to record your screen from nearby without drawing attention. The method itself doesn’t really change, which is what makes shoulder surfing easy to overlook. If your screen is visible, even for a moment, that may be enough to expose your personal data. And because that situation comes up more often than people expect, the attack tends to blend in with everyday use rather than stand out.

How does shoulder surfing work?

A shoulder surfing attack works by taking advantage of a short, predictable window — right when information becomes visible on a screen. The attacker doesn’t rush in. They blend in first, choosing a spot where they can see without being noticed. From there, it’s mostly patience. The moment you interact with your device, they focus on what appears on the screen, not on you, and piece together what they need from what’s briefly exposed. Sometimes a quick glance is enough. Other times, they rely on a recording device so nothing has to be memorized on the spot. The approach can vary, but the pattern stays the same: wait, observe, capture, and leave without interrupting anything.

Why is shoulder surfing a security risk?

Shoulder surfing is a security risk because it leaves no trace. There’s no record of access, no alert, and no clear moment when the exposure is visible to you.

If someone sees sensitive information on your screen, that moment passes unnoticed. What matters is what happens later — when the same details are used elsewhere. By then, there’s nothing to point back to, and no easy way to tell how much was seen.

Types of shoulder surfing attacks 

Shoulder surfing doesn’t always look the same. The basic idea stays consistent, but the way it’s carried out can change depending on the setting and how much effort the attacker is willing to put in.

• Direct shoulder surfing. This is the most obvious form of shoulder surfing. The attacker stays close — sometimes right behind you, sometimes just off to the side — and watches what appears on your screen as you interact with it. It often happens in places where people naturally stand close together, like queues, public transport, or checkout counters.
• Remote or device-assisted observation. In these types of attacks, the bad actor doesn’t need to be directly nearby. Instead of relying on a glance, they use tools such as phone cameras, small recording devices, zoom lenses, or, in some bizarre cases, a pair of binoculars to capture what’s on a screen from a distance. It takes more planning, but it also reduces the chance of being noticed.
• Passive observation. This type of shoulder surfing attack might not feel like an attack at all. During passive observation, a bad actor notices a pattern, a repeated action, or a moment when a device is left unattended. No deliberate setup, no obvious intent. Just attention and patience, which, in crowded or familiar environments, can be more than enough.

Shoulder surfing examples 

Shoulder surfing is easier to recognize once you know where and how it happens in the real world. Below are some examples that show how shoulder surfing takes place in everyday life.

Shoulder surfing next to ATMs 

ATMs are one of the most common places for a shoulder surfing attack. Your attention is fixed on the keypad, which makes it easy to miss what’s happening around you. Someone standing nearby doesn’t need to do much — just watch closely enough to catch your PIN as you enter it. In some cases, that’s all it takes. In others, reflective surfaces or small cameras positioned near the machine can capture the same information without you noticing. Once the PIN is exposed, the rest is straightforward, especially if the attacker acts before you have time to react.

Shoulder surfing in shared workspaces 

Shared workspaces like coworking areas make shoulder surfing easier because screens are often exposed by default. People sit close, change seats, tend to move around, and no one really questions it. You might be working next to someone you’ve never met, or someone who’s only there for the day. A quick glance in that kind of setting doesn’t stand out, which is what makes it risky. It doesn’t take much. Just a moment where your screen is visible while you’re focused on something else. Then there’s the small stuff people overlook. Stepping away to grab coffee, leaving a laptop open, assuming no one is paying attention. In a shared space, that assumption doesn’t always hold and could lead to you exposing personally identifiable information without even realizing. 

Shoulder surfing in coffee shops 

Coffee shops introduce risk because people move through the space constantly, and you don’t always know who’s behind you at any given moment. Someone might stand directly behind your chair while waiting for an order, then leave, and a minute later, someone else is in the same spot. Your screen is exposed for most of the time you’re in a cafe. If you’re logged into an account, reading emails, or entering card details, that information stays visible long enough to be read without much effort. Even part of a screen can reveal useful details — a full email address, account name, or the contents of a message. In some cases, that’s enough to identify the service you’re using, link it to you, or combine it with other information later to target you in other types of online scams.

Shoulder surfing in airports

Airports are one of the few places where you’re handling a lot of sensitive information while thinking about something else entirely. Shoulder surfing happens when that information is displayed in full while you’re using it at a gate, at security, or at a kiosk, and people nearby can see it without trying too hard. A boarding pass or booking screen shows your name, flight details, and reference codes clearly enough to be read from close range. That information can be used to identify you in a crowded space and link you to a specific trip. Once that link is established, it becomes easier to target you directly — whether in the airport or afterward — using details that match your travel, which increases the likelihood of successful fraud or identity theft attempts.

Shoulder surfing in public transport 

On public transport, people are often close enough to see your screen without trying. If you’re standing, your phone is usually held at chest or waist level, directly in the line of sight of anyone next to you. If you’re seated, the person beside you has the same view. When you enter your passcode to unlock your phone, that input can be seen from that distance. What happens next depends on how you use the device. A nearby passenger might be able to read a message as it appears, see an email open on your screen, or watch you enter details into an app. 

Shoulder surfing at checkout counters 

Checkout counter shoulder surfing is typically aimed at capturing your PIN or card details during a transaction. When you enter your PIN, the keypad and screen are positioned in a way that can be seen by anyone standing directly behind you. That moment is brief, but it’s predictable — every transaction follows the same step. In some cases, parts of the card number or transaction details may also be visible on the screen while the payment is processed. 

What are the consequences of a shoulder surfing attack?

A shoulder surfing attack can lead to different kinds of harm, depending on exactly what someone sees.

• Financial theft. The financial risk depends on what is exposed. If someone sees your card number, expiry date, and CVV while you enter them, they may use those details for online purchases. If someone sees your PIN, that does not help on its own — but it becomes dangerous if they later get hold of your card, whether by theft, loss, or a second scam. In that case, they can use the PIN to withdraw cash or authorize payments.
• Identity theft. A name on its own is rarely enough to steal an identity. The risk grows when someone sees a combination of details that connect back to you — your full name, email address, home address, date of birth, account identifiers, or similar information shown on a form or screen. Once those details are combined with other publicly available or stolen data, they can be used for identity theft.
• Unauthorized account access. This happens when someone sees credentials or other information during a login attempt. That might be a password, or a one-time code displayed in a message preview. If the attacker sees enough to complete the sign-in process, they can get into the account directly. If they only see part of the information, they may still use it in password-reset attempts or targeted phishing.
• Fraud built on real information. Sometimes, shoulder surfing does not give an attacker direct access to anything. It gives them context. A visible booking reference, account screen, invoice, email thread, or payment request can give them enough detail to build a scam, such as personalized phishing attacks. The more accurate the details, the easier it becomes to trick someone into clicking, replying, paying, or sharing more information.
• Business and legal consequences. When the exposed information belongs to a company, the damage can spread well beyond one person. A password seen in a shared space might unlock internal systems. A customer record left visible on a screen might expose regulated personal data. That can trigger breach reviews, contractual disputes, regulatory scrutiny, or mandatory reporting obligations, depending on what was exposed and where the business operates.
• Stress and loss of control. The practical damage is only part of the story. People often feel unsettled because they do not know exactly what was seen, what was remembered, or whether the information will be used later. That uncertainty can linger even when no immediate fraud appears.

How to prevent shoulder surfing 

You can’t fully eliminate the risk of shoulder surfing, but you can limit how much information is visible and when it appears. Most prevention comes down to reducing exposure at the exact moment sensitive data is on your screen or keypad. The measures below focus on that — controlling visibility, limiting what’s shown, and adding safeguards in case something is observed.

Use privacy screens

A privacy screen limits how much of your display can be seen from the side. That matters in places where people sit or stand next to you, not behind you. It won’t block everything, but it reduces casual exposure — the kind that happens without intent. Think of it as narrowing the angle, not eliminating the risk.

Enable your screen to auto-lock

An unlocked device is readable without effort. Set it to lock quickly when idle so information doesn’t stay visible after you stop using it. This matters less while you’re actively working and more in the gaps — when you step away or get distracted.

Turn off notification previews

Notifications often show more than they should. Message previews, login codes, account alerts — they appear on the lock screen without any action from you. Hiding that content removes one of the few ways sensitive data can show up without you noticing.

Shield keypads 

When you enter a PIN, the exposure is brief but direct. Covering the keypad changes the line of sight, especially in queues or at payment terminals. It’s a small adjustment, but it removes the one moment where the input is fully visible.

Enable 2FA/MFA 

Multi-factor authentication (MFA) adds a second step that isn’t visible on the same screen as your password. If someone sees your login details, they still can’t complete the sign-in without that additional factor. It doesn’t prevent observation, but it limits what that observation can be used for.

Be aware of your surroundings 

This isn’t about constantly scanning the room. It’s about noticing when your screen is visible to others and adjusting before you enter anything sensitive. A slight change in position, a pause, or waiting a few seconds can be enough to avoid exposing information at the wrong moment.

How NordProtect helps prevent the consequences of shoulder surfing 

One of the challenges with shoulder surfing is that you often don’t know what was seen or when it might be used. The information can surface later, in a different context, which makes it harder to connect the cause and the effect. That delay is where problems tend to grow — credentials get reused, personal details show up in unexpected places, or accounts are accessed without a clear starting point.

NordProtect addresses that gap in a few specific ways. It monitors breach databases and data leak sources for exposed credentials or personal information and sends security alerts and notifications when something tied to you appears. It also provides identity theft recovery support, helping deal with account takeovers, fraudulent activity, and the steps required to restore access. On the preventative side, it includes guidance and tools around account security, such as strengthening authentication and reducing repeated exposure of sensitive data. Taken together, this doesn’t stop someone from looking at your screen, but it limits what that moment can turn into afterward.