In 2023, a Ponemon Institute study sponsored by 3M found that 91% of visual hacking attempts — someone simply looking at a screen — were successful. No malware. No zero-day exploit. No phishing email. Just a person standing in the right place at the right time, reading credentials off someone else's screen or watching them type a PIN. The shoulder surfing attack is the oldest trick in the social engineering playbook, and it still works because almost nobody takes it seriously.
This post breaks down exactly how shoulder surfing attacks happen in 2025, why they're more dangerous now than ever, and what your organization can do — starting today — to shut them down. If you think this threat is limited to ATMs and airport lounges, you're underestimating a technique that threat actors use as the first step in devastating data breaches.
What Is a Shoulder Surfing Attack, Exactly?
A shoulder surfing attack is a form of social engineering where an attacker visually observes a victim entering sensitive information. That information can be a password, a PIN, a credit card number, a one-time passcode, or even a confidential document on a laptop screen. The attacker doesn't need to be literally over your shoulder — they might be across a coffee shop with a phone camera zoomed in, or sitting two seats away on a train.
The simplicity is what makes it effective. There's no digital footprint. No logs to review. No alert from your SIEM. Your endpoint detection won't flag someone's eyeballs. It's a gap that technology alone cannot fill, which is exactly why security awareness training matters so much for this particular threat.
The Modern Twist: Cameras and Optics
In my experience, people picture shoulder surfing as someone awkwardly hovering behind you at an ATM. That was 2005. In 2025, attackers use smartphone cameras with optical zoom, small wearable cameras, and even off-the-shelf telescopic lenses. Researchers at Ben-Gurion University demonstrated that a standard smartphone camera could capture screen content from several meters away with startling clarity.
This means the "shoulder" in shoulder surfing is now metaphorical. The attacker could be ten feet away, recording video they'll review frame by frame later. If your employees think keeping a casual distance from strangers protects them, they're wrong.
The $4.88M Reason You Should Care About Visual Hacking
IBM's 2024 Cost of a Data Breach Report pegged the global average breach cost at $4.88 million. A shoulder surfing attack rarely shows up as the root cause in a breach report because it's the enabler, not the finale. An attacker observes a credential, then uses it to log in remotely. The breach gets classified as "stolen credentials" — the top initial attack vector in the Verizon Data Breach Investigations Report year after year.
Here's what actually happens in a real attack chain: a threat actor watches an employee type their corporate password at an airport. That night, they attempt to log in from a residential VPN. If your organization doesn't enforce multi-factor authentication, they're in. Even if you do have MFA, the attacker may have also observed the OTP entry, especially if the employee uses SMS-based codes displayed on a locked screen notification.
The point: credential theft through visual observation feeds directly into the most expensive breach category. You just never see it in the forensics because the evidence was never digital to begin with.
Where Shoulder Surfing Attacks Happen Most
I've cataloged the environments where I've seen or heard about visual hacking incidents over the past decade. The list might surprise you.
1. Airports and Airline Lounges
Business travelers are the highest-value targets. They're logging into corporate VPNs, accessing email with sensitive attachments, and often sitting elbow-to-elbow with strangers. The false sense of security in a "business class lounge" makes people careless.
2. Coffee Shops and Co-Working Spaces
Remote work has exploded the attack surface for shoulder surfing. Your employees are entering credentials and reviewing confidential data in spaces designed for openness and collaboration — exactly the wrong environment for handling sensitive information.
3. Open-Plan Offices
The threat isn't always external. Insider threats are real, and an open office layout means a disgruntled employee, a contractor, or even a visitor on a facility tour can observe screens and keyboard entries. The CISA physical security guidelines explicitly address visual access controls for this reason.
4. ATMs and Point-of-Sale Terminals
The classic scenario. Still happens constantly. The FBI's IC3 receives thousands of reports annually involving credential and financial data theft where physical observation is a contributing factor.
5. Public Transit
Trains, buses, subways. People unlock phones with PINs, check banking apps, and read confidential emails on packed commuter trains. The person pressed against them has a front-row seat.
How to Prevent a Shoulder Surfing Attack: 8 Specific Steps
Generic advice like "be aware of your surroundings" is useless. Here are concrete, actionable defenses your organization should implement now.
Step 1: Deploy Privacy Screens on All Company Devices
3M and other manufacturers make privacy filters that narrow the viewing angle of a display to roughly 60 degrees. Anyone outside that cone sees a darkened or blacked-out screen. This is the single most effective physical countermeasure against visual hacking. Issue them as standard equipment, not as an optional accessory.
Step 2: Enforce Biometric Authentication Where Possible
Fingerprint readers and facial recognition eliminate the need to type passwords in public. There's nothing for an attacker to observe. If your organization still relies on typed passwords as the primary authentication method in 2025, you're handing shoulder surfers an invitation.
Step 3: Implement Multi-Factor Authentication — But Do It Right
MFA is critical, but the implementation matters. SMS-based one-time codes displayed as lock-screen notifications can be observed just like passwords. Push-based MFA (like a simple approve/deny prompt) or FIDO2 hardware keys are far more resistant to shoulder surfing. Move to phishing-resistant MFA methods aligned with NIST identity and access management guidelines.
Step 4: Disable Lock Screen Notification Previews
This takes 30 seconds per device but eliminates a massive exposure. Configure mobile device management (MDM) policies to hide message content on lock screens. OTP codes, email subjects, and Slack messages should never be visible without unlocking the device.
Step 5: Train Employees on Situational Awareness
Your people need to understand why this threat matters and how it actually plays out. Not a checkbox compliance exercise — real, scenario-based training. Our cybersecurity awareness training program covers shoulder surfing, social engineering, and physical security in practical, engaging modules that employees actually remember.
Step 6: Adopt Zero Trust Principles
Zero trust isn't just a network architecture — it's a mindset. Assume every authentication could be compromised. Combine strong authentication with continuous verification: device posture checks, impossible travel detection, and behavioral analytics. Even if a shoulder surfer captures a credential, layered defenses stop them from using it.
Step 7: Create a "Public Space" Security Policy
Put it in writing. Your acceptable use policy should address working in public: mandatory privacy screens, prohibition on accessing highly sensitive systems from public Wi-Fi without VPN, and guidance on physical positioning (back to a wall, screen angled away from foot traffic). Make this part of onboarding.
Step 8: Run Visual Hacking Assessments
Pen testing shouldn't be limited to your network. Hire someone to walk through your office and see what they can observe. Can they read screens from the hallway? Can visitors see monitors during a lobby wait? These assessments are inexpensive and routinely reveal embarrassing exposures.
Shoulder Surfing and Phishing: The Combination Attack
Here's a scenario I've seen play out: an attacker shoulder surfs an employee's corporate email address and partial password at a café. They don't have the full credential, so they pivot. They craft a targeted phishing email — now with the employee's real email format and organizational knowledge — and send a convincing credential harvesting page. The employee enters their full password, and the attacker has everything.
This is why isolated defenses fail. You need training that covers both physical and digital social engineering simultaneously. The phishing awareness training for organizations we offer includes phishing simulation exercises that teach employees to recognize credential harvesting attempts — the exact kind that follows a successful shoulder surfing observation.
Ransomware operators also benefit from shoulder-surfed credentials. Initial access brokers sell stolen logins to ransomware gangs. The credential doesn't need to come from a phishing kit — it can come from someone watching an admin type a password in a hotel lobby. The downstream damage is identical.
Why Most Organizations Ignore This Threat
I'll be blunt. Security teams focus on what generates alerts. Shoulder surfing generates zero alerts. It doesn't show up in dashboards. It doesn't trigger rules. It's invisible until the credential is used — and even then, it looks like a standard compromised credential event.
This creates a dangerous blind spot. Budget goes to EDR, SIEM, and cloud security (as it should), but physical security awareness gets deprioritized. The irony is that the lowest-tech attack often provides the initial access that makes all your expensive tooling irrelevant.
What a Shoulder Surfing Attack Looks Like in 2025
Let me paint the current picture. Your marketing director is at a conference. She sits down in the speaker lounge, opens her laptop, and logs into Salesforce. A person two seats away holds a phone at a natural angle, recording. That evening, the attacker reviews the footage, extracts the password, and logs into your CRM from a VPN endpoint. They export your entire customer database.
No exploit. No malware. No phishing email. Your IR team finds a login from an unusual IP and resets the password, but the data is already exfiltrated. The breach disclosure costs you customer trust, regulatory scrutiny, and potentially an FTC investigation if PII was involved.
This isn't hypothetical. These are the components of real incidents. The only reason they don't make headlines is that the victim can rarely prove how the credential was initially stolen.
Build a Culture That Takes Physical Security Seriously
Technology solves part of this problem. Biometrics, privacy screens, phishing-resistant MFA, and zero trust architecture all reduce the risk. But the human element is irreplaceable. Your employees need to instinctively shield their screens, choose seats with their backs to walls, and recognize when someone is paying too much attention to their device.
That instinct doesn't come from a one-time onboarding video. It comes from ongoing, practical security awareness training that treats physical threats with the same urgency as ransomware and phishing. Start building that culture today — because the threat actor in the coffee shop already has.