Shoulder surfing is a physical attack where an adversary directly observes someone entering sensitive information, like a PIN, password, or access code, by watching over their shoulder or from nearby to steal credentials.
Shoulder surfing is exactly what it sounds like. An attacker stands close enough to watch you type a password, enter a PIN at an ATM, or punch in a code at a secure door, then uses what they saw to get in. No malware, no hacking tools, just eyes and proximity.
It fits into Topic 2.2 as a physical attack that exploits a physical vulnerability: sensitive information being entered out in the open without enough protection (EK 2.2.B.2, EK 2.2.C.2). Often it pairs with social engineering, since an attacker might chat you up or linger casually so you don't notice them watching (EK 2.2.A.1). The whole point is that a low-tech observation can hand an adversary the credentials needed to bypass technical security entirely.
Shoulder surfing lives in Unit 2: Securing Spaces, under Topic 2.2 Physical Vulnerabilities and Attacks. It directly supports AP Cybersecurity 2.2.A (identify common physical attacks) and connects to 2.2.B and 2.2.C, where you explain how a physical vulnerability leads to compromise and assess the risk. The big-picture lesson is EK 2.2.C.1: physical access, even just visual access to a screen or keypad, can let an adversary skip past firewalls, encryption, and every other technical control. A stolen password obtained by watching is just as dangerous as one stolen by code.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryCard Cloning (Unit 2)
Both steal what should be private, but shoulder surfing grabs the secret you type while card cloning copies the data on a physical badge or card. An attacker might shoulder surf a PIN and clone a card to complete a break-in.
Dumpster Diving (Unit 2)
These are the two classic low-tech ways to harvest credentials. Shoulder surfing watches you enter information in real time; dumpster diving digs through trash for printed passwords, notes, or discarded documents.
Piggybacking (Unit 2)
Both are physical attacks that lean on social engineering and proximity. Piggybacking tricks an authorized person into letting an attacker through a door, while shoulder surfing just watches that person enter their access code so the attacker can do it themselves.
Expect this as a multiple-choice scenario where you name the attack. A stem will describe an adversary watching someone type an access code at a secure door, or standing behind an employee at an ATM watching them enter a PIN, and ask which physical attack it is. The answer is shoulder surfing. Your job is to separate it from look-alike attacks: if someone is observing entered information, it's shoulder surfing; if they're slipping through a held or closing door, that's piggybacking or tailgating. You may also need to classify it as a physical vulnerability and describe the risk it creates under 2.2.C.
Shoulder surfing is about watching information being entered (a PIN, password, or code). Piggybacking is about gaining physical entry by manipulating an authorized person into letting you through a door. One steals a credential; the other steals access. They often work together, but the action being described is what tells them apart on the exam.
Shoulder surfing is a physical attack where an adversary watches someone enter sensitive information, like a PIN or password, to steal it.
It supports learning objective AP Cybersecurity 2.2.A and often pairs with social engineering (EK 2.2.A.1).
On MCQs, if the scenario says an attacker is watching someone type a code or PIN, the answer is shoulder surfing.
Don't confuse it with piggybacking or tailgating, which are about getting through a door, not observing entered information.
It matters because visual access alone can hand over credentials that bypass technical controls (EK 2.2.C.1).
It's a physical attack where an adversary directly watches you enter sensitive information, such as a PIN, password, or door access code, and then uses what they saw to gain unauthorized access. It needs no special tools, just proximity and a clear view.
Yes. It's covered in Unit 2, Topic 2.2 as one of the common physical attacks under learning objective AP Cybersecurity 2.2.A, alongside piggybacking and dumpster diving.
Shoulder surfing means watching someone enter information to steal a credential. Piggybacking means tricking an authorized person into letting you through a secured door, like asking them to hold it open while you carry a large box. If the scenario describes observing, it's shoulder surfing; if it describes gaining entry, it's piggybacking.
No. That's the whole point. It's a low-tech attack that relies on watching and often a bit of social engineering, which is why it can quietly bypass strong technical security like encryption and firewalls (EK 2.2.C.1).
A common stem describes an attacker standing behind an employee at an ATM watching them enter their PIN, or watching a user type an access code at a secure door. In both cases, the correct term is shoulder surfing.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.