What Is Shoulder Surfing? A Workplace-Focused Definition
Shoulder surfing is the act of reading someone's screen over their shoulder. In offices, it's a bigger risk than most people realize. Here's what it is and how to prevent it.
Shoulder surfing is the practice of obtaining information by looking at someone else's screen, keyboard, or documents over their shoulder. The term has been used in security literature since the 1980s, originally describing people watching ATM PINs being entered. Today it covers a much wider range of situations, and the workplace version is arguably the most common and the least discussed.
This is the working definition, the mechanism, and the parts of the problem that don't usually get attention.
The definition
Shoulder surfing is unauthorized observation of someone else's screen, keyboard, or printed material at close range. It can be deliberate (someone trying to read a colleague's email) or accidental (someone glancing at a laptop on a crowded train). The information obtained ranges from passwords and PINs to confidential business data, personal correspondence, medical records, salary figures, and unannounced product plans.
The term is sometimes called "visual hacking" when it's systematic or sustained, particularly in research literature. For our purposes, shoulder surfing covers both casual glances and deliberate observation. See our glossary entry on visual hacking for the distinction.
How it happens
Shoulder surfing requires three things: a target with a visible screen, an observer in line of sight, and time. The amount of time needed is usually short. A 2015 study sponsored by 3M and conducted by Ponemon Institute found that visual hackers successfully obtained sensitive information in 91% of attempts, with the average attempt taking under 15 minutes.
The mechanism is simple. Most laptops have screens visible at viewing angles up to 60 or 70 degrees off-axis. Most office layouts in the post-2015 open-plan era put people within 1 to 3 meters of each other. Most workers don't position themselves with their backs to walls. The result is that a meaningful percentage of screens in any given office are readable by at least one colleague.
The same dynamic plays out in cafes, on trains, on planes, and in airport lounges, but the workplace version is distinctive because the observer is usually a coworker, the screen contains information relevant to that observer's job (or their compensation expectations), and the relationship is repeated daily.
Real-world examples
HR departments. An HR specialist working on compensation reviews in a shared office is one of the highest-value shoulder-surfing targets in any company. Salary data, performance ratings, and termination plans are all on the screen, and curious colleagues are everywhere.
Legal teams. Lawyers reviewing contracts, M&A documents, or litigation strategy in open offices. The information is privileged in a legal sense and observable in a physical sense.
Executive assistants. People who handle calendars, travel, and correspondence for executives often have the most strategically interesting screens in a building.
Engineers reviewing sensitive code. Pre-release security patches, unannounced product code, customer data in admin panels. The technical staff working on the most sensitive systems often sit in the most open spaces.
Why it matters
Shoulder surfing in the workplace is consequential for three reasons. First, the data is often genuinely sensitive (personal data, financial data, strategic data) and regulated under GDPR, HIPAA, or similar frameworks. A leak that started with a glance can become a compliance incident. Second, the threat actor is internal, which means it doesn't get caught by perimeter security tools. No firewall blocks a coworker reading your screen. Third, it's culturally awkward to address. Telling a coworker to stop looking at your screen feels rude in a way that asking IT to block a website does not.
Most companies don't have a shoulder-surfing policy. Most won't until it becomes a named incident in their breach history.
Prevention
The honest list, in order of how often it actually works:
Repositioning. Sit with your back to a wall. Angle the screen away from foot traffic. Free, surprisingly effective. The first thing a security-aware worker does in a new office.
Privacy filters. Hardware films from 3M, Targus, or Kensington that restrict the viewing angle to roughly 30 degrees on each side of straight-on. Cost $30 to $90, dim the screen by 20 to 30%, work well in fixed-geometry environments. See our comparison of the three big brands.
Software detection. Apps like Peeker use the webcam to detect people behind you and show a preview in the corner so you can react. $5/year, no screen impact, works on Macs. Newer category but covers cafes and moving threats better than filters.
Screen lock habits. Set your lock screen aggressively (1 to 2 minutes). Use hot corners to lock manually when stepping away. Doesn't help while you're working but helps when you aren't.
Booking enclosed spaces. For sensitive work (compensation reviews, contract drafting, internal investigations), use meeting rooms with closed doors. Almost no office is built this way by default, but most have spaces available.
Related concepts
- Visual hacking: the systematic, often researched version of shoulder surfing.
- Presence detection: the technology underlying software-based shoulder-surfing prevention.
- Screen privacy: the broader category that shoulder surfing falls within.
FAQ
Is shoulder surfing illegal? Generally, no. Unauthorized observation of a screen in a shared space is not a crime in most jurisdictions. Using the information obtained may violate confidentiality agreements, data-protection laws, or insider-trading rules depending on what you do with it.
Does shoulder surfing actually happen in real offices? The Ponemon Institute study found 91% success rates in controlled tests inside real companies that agreed to be tested. It happens routinely, mostly opportunistically.
Are open-plan offices worse for shoulder surfing? Yes, demonstrably. Open-plan designs increase the number of colleagues within line of sight by roughly an order of magnitude compared to cubicle or office layouts.
Most shoulder surfing isn't malicious. It's curious. That doesn't make the information any less compromised.
Try Peeker
If shoulder surfing is a real concern in your office, Peeker is $5/year at getpeeker.com. Uses your Mac's webcam to detect people behind you. Runs locally, no data leaves your machine.
Keep reading
- Workplace privacyHow to Prevent Shoulder Surfing at Work (8 Methods, Including 1 You've Never Heard Of)Privacy filters and MFA are the usual answers. They're not enough in modern open offices. Here are 8 practical ways to stop coworkers from reading your screen — including one nobody's talking about.
- Workplace privacyScreen Privacy for Accountants: A 2026 Guide to Protecting Client Financial DataAccountants juggle client tax returns, payroll, and audit files in offices, cafés, and client sites. Here's a practical screen privacy guide for accountants in 2026.
- Workplace privacyScreen Privacy for CEOs: Protecting What's on Your LaptopPractical guide to screen privacy for CEOs and C-level executives. Board decks, M&A documents, and exec comp memos exposed in lounges and offsites.