This scenario most clearly illustrates shoulder surfing, a social engineering technique where an attacker obtains sensitive information by observing a victim’s screen, keystrokes, or written notes—often from a nearby position—without directly interacting with the victim or their device. The key indicators are that the tester is “discreetly watching their screens and hand movements” during login and is able to capture “usernames and partial passwords” without touching anything. That is the defining pattern of shoulder surfing: passive observation to harvest credentials or other confidential information.
Shoulder surfing is particularly effective in open-plan offices, shared workspaces, airports, cafés, or any environment where people can be observed entering credentials. Attackers may watch directly, use reflections (e.g., glass surfaces), or position themselves to see the keyboard and screen. Even partial password capture can be valuable when combined with other information (usernames, password patterns, reset questions, or subsequent observation), and it can help an attacker craft more convincing follow-on social engineering attempts.
Why the other options do not fit:
Dumpster diving (B) involves retrieving sensitive information from trash (printed documents, media, badges, notes), not observing logins in real time.
Impersonation (C) requires actively posing as a trusted person (IT staff, vendor, employee) to persuade someone to disclose information or grant access; the scenario explicitly avoids interaction with staff.
Tailgating (D) is physically following someone through a secure door to gain unauthorized entry; it’s about bypassing physical access controls rather than capturing credentials.
Because the technique relies on visual observation of screens and keystrokes to obtain login details, the correct answer is A. Shoulder Surfing.
