Why shoulder surfing is a key threat for Fintech

As the digital and physical worlds collide, smartphones have become central to our existence. From keeping us connected to our friends, family, and workplaces to providing access to payments, banking, and the online world, the devices in our pockets contain valuable information about our lives. Yet, with this ease of access comes worrying risks. A reemergent threat for users and businesses alike is shoulder surfing: the act of spying over someone’s shoulder to gain access to sensitive information such as their banking passcodes, PINs or confidential login information. It is a tactic that has historically been associated with users of ATM machines but is now becoming more widespread and, therefore, a pressing consideration not just for members of the public but also for fintech companies needing to secure their operations.

A pervasive threat: shoulder surfing and its risks

Mobile theft is on the rise globally. In London alone, it is estimated that a phone is stolen every six minutes, according to the Met Police. At the same time, 1 in 10 US smartphone owners are victims of phone theft, and 68% of victims cannot recover their devices after the theft has occurred. Biometric recognition, such as FaceID and fingerprint scanning, promises a more secure smartphone experience. Yet, most operating systems require a numerical passcode to be entered if biometrics fail several times, meaning that criminals with access to these codes can still unlock the entirety of a phone’s information, from banking details to sensitive work correspondence. 

As users become increasingly used to biometric recognition and passcode entry, they become less aware of their surroundings when unlocking their phone, leaving them open to targeting from criminals who only need to catch a glimpse to gain access. These glimpses can be achieved through peering over someone’s shoulder, using reflective surfaces or more sophisticated methods such as phishing apps that screen record or phishing messages that impersonate friends and family and encourage users to hand over their details.    

With businesses regularly entrusting employees to access work information through personal smartphones or company devices, the effect of a successful shoulder surfing attempt can be devastating. After unlocking a phone’s capabilities, criminals can gather information to successfully imitate an employee, drain any linked company accounts and perform a widespread data breach that could potentially be held for ransom or sale on the dark web to other criminal organisations. The global average cost of a data breach in 2024 is $4.88m, a 10% increase from 2023 and the highest total ever. It’s not just large businesses that get targeted since cyber-attacked SMEs estimate average losses of nearly £31,000 each day they are forced to close, proving potentially catastrophic for organisations with limited budgets.

Organised approaches to staying safe

Protecting sensitive data from falling into the wrong hands is clearly a vital consideration for organisations and their employees. Safe smartphone usage can be ingrained into individual and organisational behaviours through a number of measures. 

• Strengthen security: Businesses must invest in enhanced security measures in several areas. At the point of contact, advanced authentication measures such as multi-factor authentication (MFA) or risk-based authentication (RBA) add an extra layer of protection when logging in. At the same time, privacy screens and increased surveillance on company property can also deter criminals from shoulder surfing activities. Robust security monitoring and incident response planning can detect and respond to breaches at pace without compromising an entire system, while investment in research and development to create more secure and user-friendly authentication methods resistant to shoulder surfing, such as behavioural biometrics or continuous authentication, can also enhance and future-proof operating systems no matter the advancement of criminal tactics.

• Employee intelligence: Security awareness training schemes and the compulsory implementation of advanced password applications, such as LastPass, can help educate employees about the risks of shoulder surfing and how to spot phishing scams.  

• Collaborative information sharing: Through sharing threat intelligence and security protocols with law enforcement agencies, cybersecurity organisations and industry peers, fintech businesses can develop effective countermeasures that protect the sector and reassure their customer base. 

Shoulder surfing might seem like a dated method of criminal activity but in today’s mobile-driven world it is rapidly evolving. The financial technology sector must adapt to this growing threat by emphasising security at every level – from user education to cutting-edge authentication methods, research and development and collaboration.

For Billions of smartphone users, digital wallets and mobile payments are part and parcel of daily life, so ensuring consumers can transact safely in public spaces is essential to maintaining trust. Shoulder surfing is a preventable threat, and by taking proactive steps today, the fintech industry can ensure that the convenience and innovation it offers continue to thrive, free from the shadow of this evolving risk.