Shoulder surfing is a social engineering attack in which the attacker observes a target's behavior without the target noticing. The target is typically at their computer or other device, and may be working with sensitive information or inputting their credentials into an authentication system. The attacker, who is behind the target, is able to see what's on the screen or what keys the target is pressing.

Shoulder surfing doesn't need to literally be someone peering over another's shoulder. The attacker can accomplish the same thing by using a smartphone's camera to capture pictures or video at a distance, with the added advantage of being able to go back to that recording later rather than relying on memory alone. The attacker doesn't even need to be physically present during the attack—they can set the camera down on a nearby desk, press record, and leave. Later, they return to discover footage of the target working at their computer.