What Is Shoulder surfing? Security Definition
On This Page
Quick Definition
Shoulder surfing is the act of directly observing someone's computer screen, phone, or keyboard — usually in a public place — to steal passwords, PINs, or other sensitive information.
Commonly Confused With
Tailgating involves an unauthorized person physically following an authorized person into a restricted area. Shoulder surfing is about observing information on a screen or keyboard, not about gaining physical access.
If someone follows you through an access card door, that is tailgating. If someone watches you type your PIN at an ATM, that is shoulder surfing.
Dumpster diving is the act of searching through trash to find discarded sensitive information. Shoulder surfing is capturing information in real time by looking at screens or keystrokes.
Finding a printed password in the office trash is dumpster diving. Watching someone type that same password is shoulder surfing.
Phishing is a social engineering attack that uses deceptive emails or messages to trick people into revealing information. Shoulder surfing requires no digital communication; it relies purely on visual observation.
An email asking you to click a link and enter your password is phishing. A person standing behind you watching you type your password is shoulder surfing.
Must Know for Exams
CompTIA Security+ and A+ 220-1102 test shoulder surfing as a social engineering / physical attack. It is categorised as a non-technical attack exploiting human weakness. Key exam distinction: shoulder surfing (visual observation) vs tailgating/piggybacking (physical access).
Common exam question: 'A user is concerned that someone is watching them type their password — what type of attack is this?' → Shoulder surfing.
Simple Meaning
Shoulder surfing is exactly what it sounds like — someone stands behind or beside you and watches over your shoulder while you type your password or PIN. No hacking required.
Full Technical Definition
Shoulder surfing is a physical (non-technical) social engineering attack classified as a human weakness exploitation technique. The attacker gains visual access to credentials or sensitive data through direct observation. It exploits the human factor rather than a technical vulnerability.
Countermeasures include privacy screens, screen orientation awareness, and security awareness training.
Real-Life Example
A financial analyst enters their laptop password at a hotel lobby. Another guest sitting nearby in a lounge chair can clearly see the keyboard. The attacker memorises the password. Later, when the analyst steps away from their unlocked laptop, the attacker uses the observed password to access sensitive financial reports.
Why This Term Matters
Shoulder surfing is one of the simplest and most underestimated attacks. No malware, no phishing, no hacking — just observation. Security awareness programmes must train users to be conscious of their physical environment, not just their cybersecurity hygiene.
How It Appears in Exam Questions
In certification exams, shoulder surfing typically appears in scenario-based multiple-choice questions. A typical question might describe a situation where an employee in an open-plan office notices a coworker looking over their shoulder while they enter a password. The question asks: What type of attack is this? The options often include tailgating, pretexting, shoulder surfing, or vishing. The correct answer is shoulder surfing. The distractors are designed to test whether the learner can differentiate between social engineering attack types.
Another common pattern involves mitigation strategies. For example: A security manager wants to reduce the risk of shoulder surfing in a customer service area where employees use desktop computers. Which control should they implement? Possible answers might include privacy screens, stronger passwords, biometric authentication, or disabling USB ports. The best answer is privacy screens, as they directly block the viewing angle. The other options address different threats.
Some questions present a step in an attack chain. For instance: An attacker gains a user's password by watching them type it at a public terminal. Later, the attacker uses that password to log into the company's email system. The question might ask which attack component is being described. The learner must recognize that the initial observation is shoulder surfing, even if the later action is something else like credential theft or account takeover.
Troubleshooting-style questions are less common, but a scenario might describe an organization experiencing unauthorized access despite strong firewalls. The investigation reveals that credentials were obtained through visual observation. The question asks what security gap allowed this. The answer is inadequate physical security control or lack of employee awareness training. These questions reinforce that shoulder surfing is a human and physical security issue, not a technical vulnerability.
Finally, some questions combine shoulder surfing with other concepts. For example: Which of the following is a physical security control that helps prevent shoulder surfing? A) Mantrap, B) Privacy filter, C) ID badge, D) CCTV. The correct answer is B. CCTV may deter but does not prevent the act of looking over a shoulder. Understanding these nuances will help candidates choose the right answer.
Practise Shoulder surfing Questions
Test your understanding with exam-style practice questions.
Example Scenario
Scenario: Sarah works as a customer service representative at a tech company. She often helps clients reset their passwords over the phone but also needs to access her own credentials to log into the ticketing system. One afternoon, Sarah is working at a shared desk in a busy open office. A new intern, Alex, is sitting at the desk next to her, but he seems to be looking at his own screen. However, every time Sarah types her password, Alex subtly glances over to catch her keystrokes. Over the course of the day, Alex sees Sarah's password several times. That evening, Alex uses the stolen password to log into the ticketing system and views confidential client support tickets.
This scenario is typical of an exam-style question where the intern's behavior is the attack. The question might ask: What type of attack did Alex perform? The correct answer is shoulder surfing. Then the exam might ask: What could have prevented this? Possible measures include Sarah using a privacy screen on her monitor, turning her screen away from the intern, or being more aware of her surroundings. The scenario highlights that the attack happened in plain sight, with no technical exploits involved.
In an exam, you might be asked to identify the most effective countermeasure from a list. The scenario could also be extended: The company later discovers unusual logins from Alex's workstation. The security team traces the unauthorized access and interviews Sarah, who admits she saw Alex looking at her screen. The question might then ask: Which security policy was violated? Answer: Clear desk policy or lack of awareness training. This example shows how shoulder surfing can be the starting point of a larger security incident.
Common Mistakes
Confusing shoulder surfing with tailgating.
Tailgating is when an unauthorized person follows an authorized person through a secured door without using their own credentials. Shoulder surfing is about observing screens or keystrokes, not about physical entry.
Remember: tailgating is about piggybacking through a door; shoulder surfing is about peeking at information.
Thinking shoulder surfing only happens in public places.
Shoulder surfing can occur anywhere, including within an office, at a coworking space, or even at home if someone looks over your shoulder. It is not limited to public settings.
Be aware of your surroundings everywhere, not just in public. Even trusted colleagues can be a threat.
Believing a strong password protects against shoulder surfing.
A strong password is harder to guess but still visible to someone watching. Shoulder surfing steals the password regardless of its complexity.
Use multi-factor authentication and physical protections like privacy screens. Strength alone does not block observation.
Assuming shoulder surfing is only about passwords.
Attackers can steal any sensitive on-screen information like financial data, personal messages, passport details, or confidential documents.
Protect all sensitive information on your screen, not just passwords. Log out or lock your screen when stepping away.
Exam Trap — Don't Get Fooled
{"trap":"In a question about social engineering attacks, some answer choices include 'shoulder surfing' alongside 'phishing' and 'vishing.' A trap is to choose 'vishing' because the scenario involves a phone call, but the actual attack is shoulder surfing if the attacker is visually observing rather than calling.","why_learners_choose_it":"Learners might think any social engineering attack that involves people is a form of manipulation, but they forget that shoulder surfing is purely visual and does not involve interaction."
,"how_to_avoid_it":"Read the scenario carefully. If the attack involves looking at a screen or keyboard, it is shoulder surfing, regardless of other context. Do not overcomplicate."
Step-by-Step Breakdown
Identify a target
The attacker looks for someone entering sensitive information in a visible location. This could be at an ATM, a laptop in a cafe, or a workstation near a hallway.
Position for observation
The attacker moves to a spot where they can clearly see the target's screen or keyboard. They may stand behind, sit nearby, or even use a mirror or camera.
Capture the information
The attacker watches as the target types a password, enters a PIN, or views a confidential document. They may memorize it, write it down, or record it with a smartphone.
Use the stolen information
The attacker now has credentials or data. They can use them to log into systems, access accounts, or sell the information to others. This step often involves combining the stolen info with other attacks.
Cover tracks
The attacker leaves the area normally, without raising suspicion. Since no digital trace is left, the victim may never realize their information was compromised until unauthorized access is discovered.
Practical Mini-Lesson
Shoulder surfing is one of the simplest yet most effective social engineering attacks that IT professionals must understand and defend against. In practice, it requires no technical skill, which makes it particularly dangerous. As an IT support specialist or security analyst, you need to know how to recognize it, prevent it, and respond to it.
First, recognize the environments where shoulder surfing thrives. Open-plan offices, shared workspaces, airports, coffee shops, and public transportation are high-risk zones. If employees often work on sensitive tasks in these areas, they are potential targets. As a professional, you can advocate for privacy screens on all monitors and laptops. These filters limit the viewing angle so that only someone directly in front of the screen can see the content. They are inexpensive and highly effective.
Second, train users to be aware of their surroundings. Encourage a habit of looking around before entering passwords or viewing sensitive data. Teach them to type passwords while shielding the keyboard with their other hand or body. For touchscreen devices, suggest using a privacy protector and avoid entering sensitive information in crowded places. Role-playing scenarios during security awareness training can make the lesson more memorable.
Third, enforce security policies like clear desk and clear screen. When employees leave their desks, they should lock their computers and put away any sensitive papers. This reduces the chance of someone walking by and seeing confidential data. Consider the physical layout of your workspace. Position monitors away from doors and hallways, and use cubicle walls or dividers to block sightlines.
What can go wrong? If an organization ignores shoulder surfing, an attacker could easily collect dozens of credentials in a day without triggering any alarms. These credentials could then be used to launch a larger breach. For example, a stolen help desk password might give an attacker access to customer accounts, reset tokens, and eventually full system control. The consequences can range from data theft to ransomware deployment.
Finally, integrate shoulder surfing into your incident response plan. If an employee reports that they might have been observed entering their password, treat it as a potential credential compromise. Force a password reset, review recent account activity, and log the incident. Even if no immediate misuse is found, proactive action can prevent future damage.
Memory Tip
Shoulder surfing = looking over someone's shoulder. It is the simplest social engineering attack — physical observation, no technology needed. Always check your surroundings before entering a password in public.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
220-1102CompTIA A+ Core 2 →SY0-701CompTIA Security+ →CS0-003CompTIA CySA+ →SC-900SC-900 →CDLGoogle CDL →ISC2 CCISC2 CC →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
Frequently Asked Questions
Can shoulder surfing happen if I use a password manager?
Yes, if the password manager auto-fills and you do not shield the screen, an observer could still see the password displayed briefly or watch you select an entry.
Is shoulder surfing considered a cyberattack?
It is considered a social engineering attack and a physical security threat, but it is not a cyberattack in the traditional sense because it does not involve hacking software or networks.
What is the best way to prevent shoulder surfing?
Using privacy screens, being aware of your surroundings, and shielding your screen and keyboard from prying eyes are the most effective measures.
Does shoulder surfing only target passwords?
No, attackers can also capture PINs, credit card numbers, confidential documents, or any other information displayed on a screen.
Should I report a suspected shoulder surfing incident?
Yes, immediately report it to your security team. They can reset your credentials and investigate whether any unauthorized access occurred.
Can shoulder surfing be done from a distance using cameras?
Yes, attackers can use binoculars or zoom lenses on cameras to observe screens from far away. This is still considered shoulder surfing.
Summary
Shoulder surfing is a non-technical social engineering attack where an attacker observes a user's screen or keyboard to steal sensitive information such as passwords, PINs, or confidential data. It thrives in environments where people enter credentials or view private data in visible locations, including open offices, public transport, and coffee shops. The attack requires no special equipment or technical skill, making it accessible to a wide range of threat actors.
Understanding shoulder surfing is essential for IT certification learners because it appears in major exams like CompTIA Security+, CISSP, and CySA+. Questions often test recognition of the attack type, appropriate mitigation strategies, and the ability to differentiate it from other social engineering techniques such as tailgating, phishing, and dumpster diving. The key mitigation strategies include using privacy screens, maintaining situational awareness, enforcing clear desk policies, and implementing multi-factor authentication.
For IT professionals, shoulder surfing underscores that security is not only about firewalls and encryption but also about physical environment and human behavior. By integrating awareness training and physical controls, organizations can significantly reduce the risk of credential theft through observation. As a learner, keep in mind that even the strongest password is vulnerable if someone is watching you type it. Always shield your screen and keyboard, and lock your device when stepping away. This simple habit can prevent a costly security breach.