+1 (877) 634-6847
Customer Support
Cybersecurity Glossary

What Is Shoulder Surfing?

Shoulder surfing is a visual information theft tactic where someone watches a person enter, view, or handle sensitive information. It can happen in offices, airports, coffee shops, hotel lobbies, trains, conferences, call centers, and any shared space where screens or keyboards are visible.

Learn More
Glossary Index Phishing & Social Engineering
Short definition

Shoulder surfing is the act of observing a user to steal passwords, PINs, MFA codes, customer data, documents, or other confidential information. The observer may stand nearby, watch from a distance, use a camera, or rely on reflections and exposed screens.

At a glance: Shoulder surfing does not need malware. If sensitive information is visible, an attacker may only need a line of sight and a moment of distraction.

Shoulder Surfing Meaning

Shoulder surfing is one of the simplest security threats because it uses observation instead of technical compromise. A person watches what another person types, reads, prints, or displays. The information may be captured by memory, photo, video, or a quick note.

The tactic is not limited to someone literally looking over a shoulder. An attacker can watch a laptop from a nearby table, record a phone screen in a line, view a reflection in glass, glance at a badge, or read a document left open on a desk. In busy spaces, this may not look suspicious.

For business users, shoulder surfing is a realistic risk because work has become mobile and visible. Employees review email in airports, join meetings from shared spaces, enter MFA codes in public, and handle customer or financial data from laptops and phones. Each of those moments can expose information if the surrounding environment is ignored.

The threat is also useful to social engineers. A password, internal project name, account number, badge detail, or customer fact can make later phishing and impersonation attempts more believable. Observation can become reconnaissance for a larger attack.

How Shoulder Surfing Works

Shoulder surfing relies on visibility and timing rather than a direct interaction with the target.

  1. The attacker finds an exposed moment. They look for screens, documents, keypads, phones, badges, or conversations that are visible in a shared space.
  2. The target performs a normal action. The person logs in, checks email, enters a code, opens a document, or handles customer information.
  3. The information is observed. The attacker may memorize it, take a photo, record video, or capture enough context to use later.
  4. The data is reused. A stolen password, PIN, code, account detail, or project name can support account access or targeted social engineering.
  5. The target may never notice. Because nothing was clicked or stolen physically, the exposure may go unreported.

Common Shoulder Surfing Examples

Shoulder surfing often blends into normal shared-space activity.

  • Laptop screen in public: A traveler reviews email or customer data while someone nearby can see the screen.
  • MFA code observation: A person enters a one-time code on a phone while another person watches closely enough to capture it.
  • Badge or visitor detail: An observer reads a badge, meeting room schedule, or visitor label and uses the detail in a later pretext.
  • Call center screen exposure: A screen with customer records is visible to visitors, vendors, or unauthorized staff.
  • Printed document visibility: Reports, invoices, notes, or customer records are left open on a desk, printer, or conference table.

Why Shoulder Surfing Matters

A visible secret is no longer fully secret. Passwords, MFA codes, customer records, financial details, and internal plans can be exposed without triggering technical alerts.

The business impact depends on what was seen. A single credential can lead to account takeover. A customer record can create privacy concerns. A project name or executive schedule can help an attacker craft a more convincing phishing message.

Shoulder surfing also affects trust in remote and mobile work. Employees often need to work while traveling or in shared spaces, so prevention has to be practical. The answer is not “never work outside the office”; it is to handle sensitive work with the environment in mind.

How to Reduce Shoulder Surfing Risk

Good prevention starts with treating visibility as part of access control.

  • Position screens carefully. Avoid facing screens toward public walkways, waiting areas, windows, or nearby seating.
  • Use privacy filters. Screen filters can reduce side-angle visibility for laptops and monitors in exposed spaces.
  • Shield codes and passwords. Cover keypads and phones when entering PINs, passwords, or one-time codes.
  • Lock and clear workspaces. Lock screens when stepping away and avoid leaving documents, notes, or badges exposed.
  • Choose safe work locations. Handle sensitive data from controlled spaces when possible, especially during travel or public meetings.

What to Do if Sensitive Information Was Exposed

If someone may have seen a password, code, document, or customer detail, act as if the exposure is real until it is assessed.

  1. Report the exposure. Share what was visible, where it happened, who may have seen it, and whether photos or recording were possible.
  2. Reset credentials if needed. Change passwords, revoke sessions, and review MFA activity if login information or codes were visible.
  3. Assess data sensitivity. Customer data, payment information, health data, or confidential business information may require additional handling.
  4. Adjust the environment. Move screens, add privacy filters, change seating, or update workspace habits to prevent repeat exposure.

Related Shoulder Surfing Terms

Shoulder surfing often pairs with physical access and broader social engineering.

Shoulder Surfing Takeaway

Routine work becomes risky when sensitive details are visible to the room. A password, badge, email, or customer record can be exposed in a few seconds.

Treat screens, documents, and codes like access points. If someone can see them, they may be able to use them.

Navigation
Back to Glossary View Category

Share This Page

Send this glossary page to a teammate, client, or employee who needs a quick explanation.

Email Facebook LinkedIn
FAQ

Questions Teams Ask About Shoulder Surfing

Quick answers about visual data theft, public workspaces, exposed screens, and practical prevention habits.

What is shoulder surfing?

Shoulder surfing is the act of observing someone directly or indirectly to capture sensitive information such as passwords, PINs, MFA codes, documents, or customer data.

Does shoulder surfing require standing behind someone?

No. It can happen from across a room, through a camera, by watching reflections, or by viewing screens in public and shared workspaces.

Why is shoulder surfing a business risk?

It can expose credentials, confidential documents, customer information, payment details, meeting content, and internal systems without sending a phishing email.

How can employees prevent shoulder surfing?

Employees can shield screens and keypads, use privacy filters, lock devices, avoid sensitive work in exposed spaces, and report suspicious observation.