NewsProblem Solvers

Actions

Watch Out Wednesday: Shoulder surfing

Posted
and last updated

TULSA, Okla. — Despite all of the high-tech scam threats out there nowadays, the warning remains the same for old-school scams such as shoulder surfing.

During the hustle and bustle of a busy and hectic holiday shopping season one year ago, two shoppers, a mother and daughter, were attacked by scammers.

"It's very frustrating, it's very scary, not only frustrating, but scary."

Brooke said she wants to get the word out, not only for this holiday shopping season but when out buying any time of the year.

"They told us we could get another 25% off if we apply for their credit card, I was 'OK, cool. What's it going to hurt? The worst they could say is no.'"

The worst was not just the no answer she got. It was what happened later that day when she discovered two fraudulent charges through her debit card.

"I'm like what in the world?" Brooke said.

Security experts say it could just be what they call old-fashioned shoulder surfing: a scammer unknowingly peering, watching over your shoulder. They can strike when filling out a credit application at a store counter, or even if you're just paying with a current credit for a debit card.

"My debit card info is out there, my social security number is out there, my date of birth is out there, anything this person needs to really genuinely to be me, is out there," Brooke said.

Indeed, that is scary, Brooke reminds us. She worries there may be a single parent out there, struggling just to make Christmas merry, for their children.

"I just didn't want it to happen to somebody else, be got for more than $70. $70 isn't going to make or break me, but when there's somebody out there, like a single mom on a fixed income, who's like hey this is all the money I have, you just drained my account, plus some?"

She says she now has fraud protection and says it's a small price to pay, even for a single mom. Her bank covered them, although by law, it's not required to do so, when a debit card is involved, as opposed to a credit card.

Brooke also got a new debit card number.

According to Aura.com, a company specializing in fraud protection, here are the most common places shoulder surfers can strike, and how to protect yourself:

In Crowded Environments Such as Bars, Restaurants, and Airports

Shoulder surfers hang out in crowded spaces where they can blend in and steal information without being detected.

For example, let’s say you’re out with friends at a bar or restaurant and need to transfer money into your account to pay the bill. A shoulder surfer nearby can watch you enter your banking information into your mobile banking app and use it later to empty your account or commit fraud.

When You’re Using an ATM

Have you ever wondered if the person standing next to you saw your PIN as you typed it into the keypad? Shoulder surfers regularly target ATMs in public places like outside of a gas station.

But they’re not waiting around to try and spy your PIN. Instead, they’ll employ a number of different frauds, such as:

  • “Skimmers” or “Shimmers”. These small devices attach on top of an ATM or go inside the card reader itself and steal your account information when you use them. 
  • Video cameras and recording devices. Some shoulder surfers will place tiny cameras around ATMs for direct observation of your PIN keystrokes and card details. 
  • Binoculars and high-powered listening devices. Other scammers might stay in their car across the parking lot and use binoculars and listening devices to steal your information.

On Public Transportation

Few people think twice about using their phones on public transportation. But this is a perfect situation for shoulder surfers to attack.

Whenever you log into one of your phone's apps or enter your passcode, a shoulder surfer can make note of that information. Later, they might steal your phone or wallet and gain access to your sensitive information.

Your phone is often a golden ticket to your most sensitive information. When my phone was stolen on a holiday, scammers got access to my bank accounts, cryptocurrency wallets, and email. They were even able to change my passwords and lock me out of my own accounts.

While Using Public Wi-Fi

If you’ve ever logged into accounts on the Wi-Fi at your local coffee shop, you’ve put your sensitive information at risk.

Cybercriminals use unsecured public Wi-Fi networks to commit man-in-the-middle attacks (MITM). These are a form of shoulder surfing where they intercept your connection to steal sensitive data.

The worst part is, you won’t even know it’s happening to you. As you browse Instagram, Snapchat or other social media, shop, or log-in to work apps, the criminal captures all of your details from afar.

When You’re Talking on the Phone in Public

Sometimes shoulder surfers aren’t eavesdropping on what you type but what you say.

Let’s say you’re talking to your child on your cellphone and they ask for your credit card details to make a purchase online. Without thinking twice, you read them aloud for anyone to hear.

During The First Days of a New Job

Nowhere is entirely safe from scammers or shoulder surfers. Just think about all the information you’re required to give up when you start a new job — Social Security number, address, phone number, banking details for benefits.

Your new coworkers could come over for a chat and catch a glimpse of your most sensitive information.

What Are the Consequences of Shoulder Surfing?

In each of the examples of shoulder surfing we just listed, scammers got access to your personally identifiable information (PII). This includes your name, address, phone number, Social Security number, banking information, phone and credit card PIN, and account passwords.

With this information, scammers can wipe you out financially, take loans out in your name, or commit bank fraud. They can also gain access to sensitive information and photos you don’t want shared or steal your medical benefits (i.e., medical identity theft). They could even sell your identity on the dark web.

The worst thing about shoulder surfing attacks is that many go undetected until it’s too late.

If you don’t regularly monitor your credit reports or get fraud alerts, you’ll only find out that someone has stolen your identity when you get a strange bill in the mail, find out your account is empty, or don’t qualify for a home or car loan.

Unfortunately, recovering from identity theft can take weeks, months, or even years.

10 Ways To Protect Yourself from Shoulder Surfing Attacks

  1. Physically block out would-be scammers
  2. Use strong passwords and a secure password manager
  3. Don’t use public Wi-Fi networks to log into accounts
  4. Add a privacy screen protector to your devices
  5. Enable 2FA — but not SMS
  6. Never input personal information into public computers
  7. Use biometrics like fingerprints and facial recognition
  8. Set up fraud alerts to automatically monitor your credit
  9. Find a private place when you need to share sensitive information
  10. Avoid using ATMs in public places

Like most scammers, shoulder surfers rely on your human nature to be trusting. Awareness of your surroundings is the first step in protecting yourself from shoulder surfing attacks. Don’t be caught off-guard when using your mobile device, tablet, or laptop in public.

1. Physically block out would-be scammers

Surfers can’t steal what they can’t see. Put your body between your sensitive information and anyone’s direct line of sight. For example, shield the keys on a PIN pad when entering your code or stand against a wall and hold your phone up to your body when entering passwords.

2. Use strong passwords and a secure password manager

It’s harder to catch and remember a password that’s long, complicated, and full of different characters.

Avoid using common or easy passwords and don’t fall into the trap of reusing old ones. According to a study from Harris Poll and Google, 66% of Americans reuse the same passwords for social media, email, and banking accounts.

Contact the Problem Solvers:

  • 918-748-1502
  • problemsolvers@kjrh.com

Stay in touch with us anytime, anywhere --