Major financial institution boss warns prospects about criminals shoulder browsing

  • Shoulder surfing is a fraud tactic on the rise in the UK
  • Why it’s not safe to have the same password for your phone and mobile banking  

The head of fraud at a major bank is warning customers over a rise in criminals shoulder surfing potential victims for mobile phone passwords.

This sinister tactic has been around for decades when it comes to stealing debit card PINs at cash machines, but the more modern twist sees the phone pinched and then fraudsters using the code to get into it.

From there, they hope to access a number of financial apps, with many now managing their money online.

And Santander’s head of fraud risk is also warning customers against using the same password for their phones and mobile banking.

Distracted: Many phone users risk being defrauded, thanks to letting their guard down when entering PINs in public spaces, such as on transport networks

Distracted: Many phone users risk being defrauded, thanks to letting their guard down when entering PINs in public spaces, such as on transport networks

Chris Ainsley, head of fraud risk management at Santander said: ‘It is incredibly important your phone passwords and your digital banking credentials are different and strong.

‘Ensure you never share your passcode with anyone else or use the same code elsewhere – for example, you should have different codes for your card PINs, to those used to access your phone and any apps.

‘Biometric authentication (finger print or facial recognition) can be a useful way to help protect your device.

‘Always protect your devices with a PIN or passcode even if they come with biometric protection.’

The fact that you can set your own password for mobile banking means that some people will use the same password as the one they use to unlock their phone for ease, even if they intend to change it later.

But this leaves you vulnerable when it comes to criminals.

All a fraudster has to do is watch you input your phone password over your shoulder and, once they have swiped your phone, try their luck with the same code in your mobile banking apps. 

What is shoulder surfing? 

This is a technique used by criminals to obtain PINs and other personal details by watching over the someone’s shoulder when they are using an ATM or card machine or logging in to mobile banking in public. 

The criminal then steals the card or device using distraction techniques or pickpocketing.

If the passwords are the same, they will have access to all your money.

Those who don’t have biometric authentication, such as face ID, set up for their mobile banking are most vulnerable to this tactic.

Face ID can add an extra layer of protection to mobile banking because it means that someone else can’t log into your mobile banking using your pin.

But fraudsters are also on the look out for those who have just unlocked a phone or used face ID to log in to mobile banking before swiping their devices.

Figures from UK Finance show that in the first six months of 2023, £38.2million was lost to retail face-to-face fraud. This type of fraud covers all transactions that occur in person or in a shop.

UK Finance said: ‘Most of this fraud occurs using cards obtained through low-tech methods such as distraction thefts and entrapment devices at ATMs, combined with shoulder surfing.’

There was a 14 per cent jump between 2022 and 2023 in the value lost of this type of fraud.

Shoulder surfing: What to watch out for

Ensure you have different codes for your card PINs to those used to access your phone and any mobile banking apps. 

Be mindful of your surroundings and ensure you’re not attempting to log in to mobile banking in a place were people could glance at your screen – especially if you are in a crowded place such as public transport.

It is also entirely possible they can see your screen in the reflection of windows on buses and trains for example, so be extra cautious. 

Consider activating biometric authentication which requires your fingerprint or facial recognition to access your device and now, increasingly, your mobile banking. 

This way your pin or password can’t be memorised by someone looking over your shoulder.