Shoulder surfing is explicitly categorized as a social engineering technique because it relies on human behavior and observation rather than exploiting software flaws or cracking passwords through computation. Quentin Docter defines it directly: “ Another form of social engineering is known as shoulder surfing. It involves nothing more than watching someone when they enter their sensitive data ,” such as a password or credit card number. Docter also notes that privacy filters can reduce viewing angles, but “ privacy filters do not protect you as you are entering a password, since a shoulder surfer will watch your keystrokes ,” and the best defense is to “survey your environment before entering personal data.”

The Mike Meyers Lab Manual reinforces the same classification: “ Shoulder surfing is another technique for gathering information and gaining unauthorized access… observing someone’s screen or keyboard to get information, often passwords .” Since this is about manipulating or exploiting a person’s situation (being nearby, watching, taking advantage of inattentiveness), it is not a zero-day, evil twin, or brute-force method. Therefore, Social engineering (C) is correct.