Arrow back

Shoulder Surfing: What do you Need to Know?

30 October, 2018

When you think of hacking, you may think of a stereotypical cyber-criminal sat in their basement remotely attacking organisations and servers in order to gain unauthorised access to systems. However, this isn’t always the case as most people seem to overlook one very basic security concern, shoulder surfing!

Shoulder surfing is technically another form of hacking as it allows users to “gain unauthorised access to data in a system or a computer”… But not everyone treats it the same as a full-scale attack where one remotely forces their way to your data.

What is Shoulder Surfing?

So what actually is shoulder surfing? The hint is in the name. It’s the act of hovering over someone’s shoulder whilst they are working on their computer. During this time, you may see what passwords they enter, how their network is configured and what sensitive files they have on their computer.

You no longer need fancy, expensive keyloggers or to spend thousands on deploying malware on websites, you just have to watch over their shoulder and see what they type.

Shoulder surfers can use physical tools such as binoculars, video cameras and some vision-enhancing devices to help them spy on your computer from a further away distance.

How can you avoid shoulder surfers?

Avoiding shoulder surfing attacks across an organisation requires concerted cyber security awareness efforts to change behaviour. However, on an individual level, it's possible to follow these tips to dramatically reduce your chances of falling victim of shoulder surfing:

Install a privacy filter

One way to negate a shoulder surfer would be to install a device on your screen called a privacy filter. Most people tend to think this is some form of program or software that is installed on your machine, but instead, it’s almost like a screen protector like you would apply to your phone.

Privacy filters are made out of polarized sheets of plastic which removes all screen visibility except for users that are sat straight in front of the screen. All a shoulder surfer would see is a black screen, so rest assured they can only see your device if they’re sat in your place, which should be easy to spot.

Sit away from people or form a physical barrier

If privacy filters aren’t for you, you should also be mindful to tilt your screen away from people next to you so they don’t have an easy line of sight to your content. You may also want to create a physical barrier such as folders, binders or any other object to negate line of sight.

Another useful tip is to avoid doing work in crowded areas. Try to refrain from doing work in cafes, airports, hotel lobbies and other very popular public spaces. All of these locations make you an easy target and makes the shoulder surfer much harder to spot.

Use a password manager

Criminals like to watch you input passwords or follow your keystrokes when on a sensitive page. But how can you stop their eyes from tracking the credentials that you enter? One popular solution for storing passwords would be a password manager. Using one of those, you’ll no longer have to manually enter your password as the fields autocomplete themselves. Say goodbye to key watchers as you’ll no longer have to enter your information.

Always be under the assumption that you’re on camera. I’m not saying be paranoid in public all the time, but imagine that your every move whilst on a computer is being recorded. It’ll help you be more cautious with what you do on your machine to help negate shoulder surfers.

Use two-factor authentication 

We would also recommend having some form of 2 Factor Authentication setup on all of your accounts. Therefore, if they do manage to spy on your password or login details, they’ll still need your mobile or another external device to approve the login.

One report shows that new technology has progressed to the point that an optical illusion can be implemented into smartphone logins which can easily thwart the plans of a shoulder surfer.

The new technology claims that by manipulating spatial frequency and several images, they can trick people into seeing different images depending on your distance from the device. Therefore, you may see someone entering ‘1234’ as their pin, but as the app randomises the order for each login attempt plus the different image, you probably entered something completely different to what they think.

In conclusion, shoulder surfing can be extremely effective and a much cheaper method of gaining sensitive information. Although difficult to spot, they can be deterred if you take our advice on board.

Back to resources

Ready to build your cybersecurity culture?

Whether you’re looking for complete culture change, phishing simulations or compliance training, we have solutions that are tailor-made to fit for your organisation.

Girl with laptop
Boy with laptop
man and woman with laptops
Global Cyber Alliance