Social engineeringis the broad technique attackers use when they manipulate human psychology—such as trust, fear, urgency, curiosity, sympathy, authority, or the desire to be helpful—to persuade someone to take an action that benefits the attacker. The key idea in the question is “exploit human emotions and connection,” which is the defining characteristic of social engineering. Rather than breaking a system through purely technical means, the attacker targets the person as the easiest path to access, credentials, sensitive information, or physical entry.
Phishing is aspecific subtypeof social engineering that typically uses email, text messages, or fake websites to trick users into clicking links, opening attachments, or entering credentials. Tailgating is another subtype focused onphysical access, where an attacker follows an authorized person into a restricted area by leveraging politeness or social pressure. Malware is malicious software used to compromise systems; it can be delivered through social engineering, but malware itself is not the human-manipulation technique.
Cybersecurity control guidance treats social engineering as a major risk because it can bypass technical protections by causing legitimate users to unintentionally grant access. Common defenses include awareness training, verification procedures (call-back and out-of-band confirmation), least privilege, multi-factor authentication, strong email and web filtering, and clear reporting channels so suspicious requests can be escalated quickly.
