Endpoint Security

What Are Keyloggers And How Do You Detect One?

Could hackers be spying on your employees by monitoring their keystrokes? Here’s how you can find out.

Article thumbnail image

Keyloggers, or, keystroke loggers, are one of the oldest types of malware still in existence today and remain a particularly pervasive threat.

First used to spy on US diplomats during the Cold War, hardware keyloggers actually date all the way back to the 1970s. The story goes that US IBM Selectric typewriters were secretly intercepted whilst in transit, and electromechanical implants were installed on them that would record every key pressed and transmit information in real-time. These keyloggers went undetected for eight years and were only discovered following a tip from a US ally in 1983.

Today, our technologies have advanced beyond typewriters—and keylogging tools have evolved alongside them. The prevalence of software keyloggers (in addition to their hardware counterparts) means that laptops, computers and smartphones are all also at risk of keylogger infection, enabling hackers to turn our most commonly used devices into snooping machines. 

So, how do you protect your organization against these kinds of attacks? And, just as importantly, how do you detect if you’ve already been infected? 

Throughout this guide, we’ll outline what keyloggers are, how they work, how you can detect one, and how you can defend your organization against them. 

What Are Keyloggers?

Keyloggers are a type of spyware that, when installed on a device, are designed to log every single key pressed on a user’s keyboard as they type—recording the information leaving their fingertips before it even reaches their screen. 

Think of a keylogger as an invisible spy living within a user’s device, constantly listening in the background and recording conversations, passwords, and sensitive information. Sounds invasive, right?

Well, what’s surprising is that in certain circumstances they are legal to use and install—whether they’re ethical is a whole other question. For example, it’s perfectly legal for employers to use keyloggers to monitor their employees’ activity on work devices. It’s also legal for parents to install keyloggers on their children’s devices to keep an eye on their online activity. 

But, as with many technologies, keyloggers are widely abused and used illegally by cybercriminals looking to secretly record their victims’ sensitive information—and it happens more often than you might think. 

In fact, from July to September 2020, keylogger software was identified in more than 60% of phishing attacks. And in July 2021, the Snake keylogger was identified as the second most prevalent malware in cybersecurity solutions provider Check Point’s Global Threat Index.

The Two Types Of Keyloggers

As with all kinds of cyber-threats, keyloggers come in many shapes and sizes. But we can split all keyloggers into two key categories: hardware and software.

Software Keyloggers

Software keyloggers are far more common than hardware keyloggers, and are more likely to pose a threat to your organization. But that doesn’t mean you should ignore hardware keyloggers when considering your safety measures—after all, it was these that went undetected for eight years on US typewriters.

Software keyloggers are programs that infect victims’ devices via direct installation of malicious software. Most commonly, they hide inside downloads and applications installed by users under the belief that the application or program was trustworthy, or because they were tricked into clicking a malicious link or application.

In fact, the three most common ways for software keyloggers to infect devices are:

Trojan viruses: the most common method of infecting victims’ devices, trojans trick the user into believing they’re downloading a trustworthy tool or application, but hide malware such as keyloggers within.

Spear phishing: software keyloggers are often included inside phishing emails, and can be installed as a result of the victim clicking on a malicious link within. But it’s not only emails, victims can also be targeted via SMS, P2P networks, social media, and instant messaging.

Drive-by download: while visiting infected or malicious sites, keylogging software can automatically be installed on users’ devices in the background, without their knowledge. These can be installed by a web page script exploiting a browser vulnerability.

Hardware Keyloggers

Hardware keyloggers, on the other hand, are often small devices or physical components that can be installed on or directly connected to victims’ computers. These can easily be embedded within a computer’s internal hardware, fixed as a hardware bug inside the keyboard, or installed inside the wiring between the keyboard and CPU.

While uncommon, hardware keyloggers are particularly dangerous because they can’t be detected by security software. And unless the victim thoroughly and frequently checks their device hardware, they’re likely to go unnoticed.

Unlike their software counterparts, hardware keyloggers can’t be installed remotely. To install a hardware keylogger, the hacker needs physical access to their victim’s device. Organizations are perhaps more vulnerable to this now that many employees currently work from home rather than inside secure buildings—but nonetheless, software keyloggers remain a far greater threat.

So, now that we know what keyloggers are and how users can become infected, how do they work?

How Do Keyloggers Work?

Keyloggers work by hiding within victims’ systems, secretly recording their keystrokes and sending this data back to hackers. 

Picture it this way. For a user, having their device infected is like someone standing over their shoulder as they type. The person watching has a clear front-row view of every single character they press. 

To capture keystroke data, keyloggers sit between their victims’ keyboards and screens, capturing the information while in transit. And to go unnoticed, many keyloggers have rootkit functionality, making them almost impossible to detect—but unlike other types of malware, they cause no harm to the victim’s device itself.

To send data back to hackers, software keyloggers can automatically transfer captured keystrokes via a remote server. Hardware keyloggers are trickier, as they can require the hacker having to physically return to the device to collect the keylogger and download the data from it later. But in some circumstances, hackers might remotely connect to the hardware keylogger via Wi-Fi, and download the data in this way.

What Kind Of Information Do Keyloggers Capture?

The most basic keyloggers might only capture keystrokes entered into a specific website or application, but more advanced keyloggers can record everything typed across an entire device. 

Information captured can include usernames and passwords, email addresses, financial information, PIN codes, credit card numbers, personal information, and more. This means that victims of keylogger attacks are not only vulnerable to account breaches and hacks, but identity fraud and leaks of personal information too.

Additionally, capabilities vary, but some more advanced keylogger variants can also capture clipboard information, GPS data, screenshots, and screen recordings. 

How To Detect A Keylogger

So, how will you or your colleagues know if any of your devices have been infected by a keylogger? Chances are, you won’t. 

The most advanced keyloggers are designed to stay concealed and cause no damage or disruption to the system, so victims can be spied on for months, or even years, without ever knowing.

So, without proper awareness and security measures, it’s very unlikely that you’d detect a keylogger until it’s too late, and much of your sensitive data has already been stolen and used maliciously.

While we advise that prevention is the best defense (and we’ll take a look at how you can prevent keyloggers later on in the article), let’s take a look at some of the ways you can go about detecting one that’s already made it onto your system. 

Signs That You Might Be Infected 

The effect that a keylogger might have on your system depends on the type of keylogger you’re dealing with, and how sophisticated a piece of malware it is. 

The most advanced keyloggers are designed to remain undetected—these are unlikely to impact system performance, so they’ll be far harder to spot. But more basic keyloggers might affect your system in a number of noticeable ways. 

Here are the key signs to look out for:

  • Slow webpage performance
  • Error messages when loading pages and graphics
  • Cursor lagging or disappearing altogether
  • Keystrokes lagging or not showing up on screen 

It’s important to note that these could be signs of a variety of viruses and types of malware—not specifically keyloggers. But it’s useful to know what signs to look out for, so you can begin your investigation into what’s causing them. 

Detecting A Keylogger

If you do suspect you might be dealing with a keylogger, here’s how you can detect it. 

The best approach is a combination of the four methods outlined below.

1. Invest In Powerful Anti-Malware Software

Using powerful and up-to-date anti-malware software, you can run a full scan to detect and block not only keyloggers, but also other types of malware. 

The software provides a list of all threats detected and removed from your device, which is where you might find the keylogger—alongside the malicious files it might have used to infect your device.

2. Check Task Manager/Activity Monitor

All computers keep tabs on processes and applications that are currently running. By sorting through this information, you might be able to spot a keylogger running in the background.

For Windows users, you can find this information in your Task Manager. To open it, simply press Ctrl + Alt + Del on your keyboard, select Task Manager, then click “more details”. 

For Mac users, the Mac equivalent is called Activity Monitor. You can open it by searching “Activity Monitor” in your launchpad and clicking on the application. 

Within both Task Manager and Activity Monitor, you’ll find a tab/column labeled “process” or “processes”. Here, you can manually search the real-time list of events happening on that device, to check for suspicious processes that could be hidden keyloggers. 

3. Clear Your Temporary Files

Temporary files are a great place for keyloggers to hide—they’re not only seldom checked, but also can get pretty cluttered, making it harder to spot any suspicious files. 

For Windows users, you can open your temporary files by firstly typing “Run” into your windows search bar and hitting Enter, and then typing %temp% into the search bar that appears. 

And for Mac users, you can open it by opening your Finder app, holding down Cmd + Shift + G on your keyboard, and then typing -/Library/Caches/ into the search bar that appears.  

You might be able to spot a suspicious file hiding within the temporary files, but to be on the safe side it’s worth clearing all files within the folder.

4. Inspect Your Computer’s Hardware

The above methods are great for detecting software keyloggers—but we advise that you manually inspect your computer’s hardware to check for hardware keyloggers, too. 

After all, hardware keyloggers are unlikely to be detected by anti-malware software or the software-based checks we recommended above.

A hardware keylogger is a small device that might sit somewhere between your keyboard and computer. This might look like a USB stick or PS2 cable installed at the back of your computer or any other place that you’re unlikely to check. 

Hardware keyloggers are designed to blend in with the computer’s hardware, but it’s important to search for them—otherwise, you never know what’s lurking.

How To Protect Against Keyloggers

As we mentioned earlier, when it comes to keyloggers, prevention is always the best defense. And, to do so, we recommend taking a multi-layered approach. 

To help you protect your organization, we’ve put together a list of six key methods that you can adopt to mitigate your risk of a keylogger-related attack.

So, whether you’ve already detected and removed keyloggers from your systems and are looking for ways to protect yourself against future attacks, or if you’re looking to avoid being infected by a keylogger in the first place—here are a few quick and easy steps you can take to not only block keyloggers from entering your users’ systems, but also mitigate the damage that they can inflict if they do.

1. Powerful Antivirus Or Anti-Keylogger Software

Installing a comprehensive and continuously up-to-date security suite is key to both detecting and blocking keyloggers from entering your users’ systems before they can cause serious damage.

Many types of antivirus software include anti-keylogger protection built-in—but this varies from vendor to vendor, so that’s something you should keep in mind when researching. 

If you’re looking for more targeted protection against keyloggers, many vendors offer specialized anti-keylogger software, which is designed to detect and remove keyloggers that are known by their database, as well as encrypt keystrokes and highlight unusual behavior. 

It’s important to note that some keyloggers might slip past this software, and that it also might not be unable to detect hardware keyloggers—which is why it’s vital to implement additional measures alongside it.

To find out more about how antivirus software can protect your organization against a whole range of threats, take a look at our guide to the top antivirus software for small businesses.

2. Strong Firewalls And Web Security Gateways

Firewalls monitor network activity and block potentially harmful online content from reaching users’ devices. By installing a firewall at a high-security setting, you can ensure any programs attempting to run on users’ devices will need permission or display a warning beforehand. 

Web security gateways can also help block access to suspicious webpages and domains in real-time, protecting users against potential online threats. These will help reduce the likelihood of catching keyloggers by drive-by downloads, and grant your users a better view of the programs running on their devices.

A powerful web security solution can take care of your firewalls and web security gateways for you. To learn more, take a look at our guide to the top web security solutions.

3. Security Awareness Training

For your employees, knowing what they’re up against is half the battle. Employee awareness of keyloggers, how they can catch them, and how they can defend their devices against them is vital when it comes to preventing keylogger attacks. 

Security awareness training helps educate employees on advanced cyberthreats through engaging modules and phishing simulations—and many vendors offer modules that cover keyloggers and spyware specifically. 

By implementing security awareness training, you can teach your employees to spot the signs of malware within phishing emails as well as not to download or click on suspicious content, and warn them against visiting malicious webpages where drive-by malware can be downloaded.

To learn more about the types of training modules and phishing simulations you can train your users with, take a look at our guide to the top security awareness training solutions

4. Password Managers And Passwordless Authentication

A basic keylogger can’t record what isn’t typed. So, password managers and passwordless methods of authentication are ideal ways for organizations to protect users’ accounts from breaches. 

Password managers work by not only creating and storing user credentials in high-security encrypted vaults, but also by enabling users to auto-fill credentials on sites they’ve previously logged on to. 

This means that, when logging into a given service, users can sign into their password managers using their devices’ biometric scanners and then auto-fill their credentials. This way, users aren’t typing a single thing and their credentials remain safe from capture. 

Passwordless authentication works by enabling users to log into their accounts using alternative methods of authentication, such as biometric data, authenticator apps, one-time passwords, FIDO2-compliant hardware keys, and more. 

Passwordless authentication not only helps reduce the inherent security risks that come with passwords, but also 

To find out more about how to go password-free during the login process, check our guides to the top password managersthe top passwordless authentication solutions, and the top biometric authentication solutions.

5. Multi-Factor Authentication (MFA)

Having strong multi-factor authentication (MFA) in place means that a user must authenticate their identity in two or more ways to log into an account. For example, this could be via a combination of entering their password and approving a request to their smartphone’s authenticator app. 

MFA helps protect accounts from breaches by ensuring that even if a hacker does manage to capture a user’s credentials via a keylogger, they still wouldn’t be able to access any of their victim’s accounts without being able to pass a second mode of verification, too. 

So, while MFA doesn’t protect against being infected by a keylogger, it certainly helps limit the damage it can inflict if one does make it onto your system.  

If MFA sounds like it would benefit your organization, check out our guide to the top multi-factor authentication solutions.

6. Virtual Keyboards

A virtual keyboard enables users to type using software rather than by using physical keyboards, and mimics the layout of a hardware keyboard. 

Virtual keyboards can come in many forms, including on-screen keyboards where users can click the “keys” using their mouse, or even as a projection where users can type in the air or on a flat surface. In this way, users aren’t pressing any physical keys, and so there’s no keystroke information for keyloggers to capture. 

This method is pretty impractical for everyday use, so it might be best suited as an added layer of protection when dealing with particularly sensitive data—like entering bank details online. 

We should also note that this is great protection against basic keyloggers, but more advanced varieties might be able to capture screen recordings and screenshots. 


To protect your organization against keyloggers and emerging threats, it’s vital to continuously stay ahead of the curve with your security measures, as well as implement a multi-layered, multi-faceted approach.

Keyloggers are, of course, just one cyberthreat of many facing organizations today. But with the appropriate security measures, you can make them less threat to worry about.