A few years ago, a journalist filmed himself reading credit card numbers, PINs, and passwords off the screens of commuters on a London train. No malware. No exploit kit. Just a pair of eyes and a decent camera phone. That's a shoulder surfing attack in its simplest form — and it's one of the most consistently underestimated threats in cybersecurity.
If you think this only happens in spy movies, I've got bad news. The Verizon 2024 Data Breach Investigations Report confirmed that the human element was involved in 68% of breaches. Many of those start with the lowest-tech vector imaginable: someone watching you type. This post breaks down exactly how shoulder surfing attacks work, why they're surging in the remote-work era, and — most importantly — what your organization can do about it today.
What Exactly Is a Shoulder Surfing Attack?
A shoulder surfing attack is a form of social engineering where a threat actor visually observes a target entering sensitive information. That information could be a password, a PIN, a one-time MFA code, financial data, or confidential business communications. The attacker doesn't need to touch your device. They just need line of sight.
This isn't limited to literally looking over your shoulder. Modern shoulder surfing includes using smartphone cameras, small binoculars, or even recording video from across a coffee shop. Researchers at the University of Glasgow demonstrated in 2023 that thermal cameras could read PIN codes from ATM keypads up to 60 seconds after they were entered. The surface was still warm enough to reveal the sequence.
Why Shoulder Surfing Is Surging in 2026
Remote Work Created a Massive Attack Surface
Before 2020, most sensitive work happened behind badge-access doors. Now, your employees are logging into corporate VPNs from airport lounges, co-working spaces, coffee shops, and hotel lobbies. Every one of those locations is a shoulder surfing opportunity.
I've personally watched someone enter their corporate email password at an airport gate — full credentials, visible from three seats away. They had no privacy screen. No awareness that anyone might be watching. That single observation could give a threat actor initial access to an entire corporate network.
MFA Codes Are a Prime Target
Here's what most people don't realize: shoulder surfing defeats multi-factor authentication. If an attacker already has your password from a phishing campaign or a data breach, all they need is that six-digit code you're typing into your authenticator app. One glance. Six digits. Full access.
This is a known technique in real-world attacks. The FBI's Internet Crime Complaint Center (IC3) has documented cases where SIM-swapping and credential theft were combined with physical observation to bypass MFA protections. You can review the latest threat trends at FBI IC3.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2024 Cost of a Data Breach report pegged the global average cost of a breach at $4.88 million. That number accounts for detection, response, lost business, and regulatory fines. Now ask yourself: how many of those breaches started with something as simple as a stolen credential?
A shoulder surfing attack is often the first link in a much longer chain. An attacker observes a password. They log in remotely. They escalate privileges. They deploy ransomware or exfiltrate data. By the time your SOC spots the anomaly, the damage is done.
The uncomfortable truth is that most security budgets go toward firewalls, endpoint detection, and SIEM tools. Almost nothing goes toward training employees to shield their screens in public. That's a gap you can close today with practical cybersecurity awareness training that covers physical security alongside digital threats.
How Threat Actors Execute a Shoulder Surfing Attack
Let me walk you through the methods I've seen documented in real-world engagements and red team exercises.
1. Direct Visual Observation
The classic. The attacker sits behind or beside the target and watches them type. This works in cafes, trains, waiting rooms, and open-plan offices. Most people never check their surroundings before entering a password.
2. Smartphone Recording
An attacker pretends to scroll social media while their camera records the target's screen. Modern phone cameras shoot 4K video. Even from several feet away, credentials on a laptop screen are perfectly legible when you pause the footage frame by frame.
3. Long-Range Optics
Binoculars and telephoto lenses aren't just for birdwatchers. In corporate espionage cases, attackers have been observed photographing screens through office windows from across the street. If your employees sit near windows with no blinds, their screens are visible to anyone with a decent zoom lens.
4. Thermal Imaging
As the University of Glasgow research showed, thermal cameras can detect heat signatures left on keyboards and PIN pads. The most recently pressed keys appear brightest. This technique works on ATMs, point-of-sale terminals, and even laptop keyboards.
5. Social Engineering Combos
Sometimes the shoulder surfing is just one piece. An attacker might strike up a conversation to distract you, position themselves for a better angle, or even ask to "borrow your charger" to get physically close. These are textbook social engineering tactics layered on top of visual observation.
Who's Most at Risk?
Not every employee faces the same level of exposure. Focus your defenses on these high-risk groups:
- Executives and board members — they travel constantly and access the most sensitive systems.
- Sales teams — they work from client sites, airports, and hotels daily.
- Finance and HR staff — they handle payroll, banking credentials, and PII.
- IT administrators — a single observed admin password can give an attacker the keys to the kingdom.
- Remote workers in public spaces — anyone who opens a laptop outside your office perimeter.
How to Prevent a Shoulder Surfing Attack: 9 Specific Steps
1. Deploy Privacy Screens on Every Laptop
A privacy filter narrows the viewing angle of a display so that only the person sitting directly in front of it can see the content. Anyone looking from the side sees a black screen. These cost under $40 per device. There is no excuse not to deploy them on every company laptop.
2. Train Employees to Be Situationally Aware
Your team needs to understand that entering credentials in public is a risk event. Teach them to check their surroundings, sit with their back to a wall, and never type passwords when someone is standing behind them. This is core content in any solid phishing and security awareness training program.
3. Use Biometric Authentication Where Possible
Fingerprint and facial recognition can't be shoulder surfed. Push your organization toward passwordless authentication methods — Windows Hello, Apple Face ID, or FIDO2 security keys. CISA actively recommends phishing-resistant MFA, which also happens to be shoulder-surfing resistant. See their guidance at CISA.gov/MFA.
4. Implement Push-Based MFA Instead of Code-Based
If an attacker can read your six-digit TOTP code, they can use it. Push notifications that require a fingerprint tap on your phone are far harder to intercept visually. Switch to push-based or number-matching MFA wherever your systems support it.
5. Enforce Screen Lock Policies
Set automatic screen lock to 60 seconds of inactivity or less. Train employees to use Win+L or Cmd+Control+Q every time they step away. An unlocked, unattended laptop in a public place is an open invitation.
6. Adopt Zero Trust Architecture
Even if an attacker captures a credential through shoulder surfing, a zero trust model limits the blast radius. Continuous verification, least-privilege access, and micro-segmentation mean a single compromised password doesn't equal full network access. NIST Special Publication 800-207 defines the zero trust framework in detail at NIST.gov.
7. Limit Sensitive Work in Public
Create a clear policy: certain categories of work — accessing financial systems, reviewing HR records, handling M&A data — should only be done on trusted networks behind closed doors. If it's sensitive enough to classify, it's sensitive enough to protect from prying eyes.
8. Use Password Managers
Password managers autofill credentials without displaying them on screen. If your employees never type passwords, there's nothing for an attacker to observe. This single tool eliminates the most common shoulder surfing target.
9. Run Physical Security Assessments
Include shoulder surfing scenarios in your red team or social engineering assessments. Have testers attempt to observe credentials in your office, lobby, and common areas. You'll be surprised how many passwords they capture in a single afternoon.
What Is a Shoulder Surfing Attack and How Do You Stop It?
A shoulder surfing attack is a visual social engineering technique where an attacker watches a victim enter sensitive information — such as passwords, PINs, or MFA codes — in person or via recording devices. To stop it, use privacy screens, biometric authentication, password managers, push-based MFA, and security awareness training that specifically addresses physical observation threats. This combination eliminates the attacker's visual access and reduces the value of anything they might see.
Real-World Shoulder Surfing in the Attack Chain
Let me paint a realistic scenario based on attack patterns I've seen documented in incident reports.
A finance manager logs into the company's banking portal at a co-working space. An attacker two tables over films the screen with a phone propped against a coffee cup. The video captures the username, password, and TOTP code. That evening, the attacker logs in from a VPN exit node, initiates a wire transfer, and disappears. Total time from observation to theft: under four hours.
This isn't theoretical. Credential theft is the number one initial access vector in breaches, according to every major threat report published in the last three years. The method of stealing that credential — whether it's phishing, a data breach, or shoulder surfing — doesn't change the outcome. The attacker is in.
Build Shoulder Surfing Into Your Security Awareness Program
Most security awareness training focuses heavily on email phishing and malware. Those are critical. But if your training doesn't cover physical security threats like shoulder surfing, tailgating, and dumpster diving, you're leaving a massive gap.
I recommend building a module specifically around public-space security. Cover the scenarios. Show employees what an attacker sees from six feet away. Demonstrate how a phone camera captures their screen. Make it visceral and real. The best training programs — like the cybersecurity awareness training at computersecurity.us — address the full spectrum of social engineering, not just the digital side.
Pair that with regular phishing simulation exercises to keep employees sharp on digital threats, and you've covered both halves of the credential theft equation.
The Bottom Line: Low-Tech Attacks Deserve High-Priority Defenses
A shoulder surfing attack costs an attacker nothing. No malware to buy. No infrastructure to set up. No exploit to develop. Just patience and proximity. That makes it one of the most accessible attack techniques in existence — and one of the most dangerous precisely because organizations dismiss it.
Your firewalls won't stop it. Your EDR won't detect it. Your SIEM won't alert on it. The only defenses that work are human awareness, physical controls, and authentication methods that can't be visually intercepted.
Start with privacy screens and password managers this week. Roll out biometric and push-based MFA this quarter. Build physical security into your training program this month. These aren't expensive changes. They're not complex. They just require you to take a low-tech threat seriously in a high-tech world.