Social engineering is the use of psychological tactics, like urgency, intimidation, and elicitation, to manipulate a person into revealing sensitive information, downloading a malicious file, or clicking a malicious link.
Social engineering is hacking the human, not the computer. Instead of breaking through firewalls or cracking passwords with code, an attacker tricks a person into handing over what they want. That could mean revealing sensitive information (called elicitation), downloading a malicious file, or clicking a bad link.
The whole thing runs on psychology. Adversaries lean on predictable human reactions, especially urgency (you feel rushed, so you act before you think) and intimidation (you're threatened with bad consequences, so fear pushes you to comply). These attacks can happen in person, but they're usually delivered by email, text message, or social media DMs. That's why a single sketchy email asking you to "verify your password in the next two hours" is the textbook example you'll see on the exam.
This is the very first concept in the course. Topic 1.1, "Understanding Social Engineering," sits in Unit 1: Introduction to Security, and it anchors three learning objectives: AP Cybersecurity 1.1.A (identify common indicators of social engineering tactics), 1.1.B (explain how those tactics influence victims), and 1.1.C (describe the possible impacts on victims). The course opens here on purpose, because the weakest link in almost any security system is a human being who can be talked into clicking something. Everything else in cybersecurity assumes you understand that attackers will target people, not just machines.
Keep studying AP Cybersecurity Unit 1
Visual cheatsheet
view galleryPhishing (Unit 1)
Phishing is social engineering delivered by email. Social engineering is the strategy (manipulate the human), and phishing is the most common way that strategy actually shows up in your inbox.
Intimidation and Urgency (Unit 1)
These are the two psychological levers the CED names directly. Intimidation uses fear of consequences, urgency uses time pressure, and both work by stopping you from pausing to ask whether an action is actually safe.
Elicitation (Unit 1)
Elicitation is the goal of getting someone to reveal sensitive info. It's what social engineering is often trying to accomplish, since details like a pet's name or birthdate become answers to security challenge questions.
Authority, Consensus, Scarcity, and Familiarity (Unit 1)
These are additional psychological principles attackers exploit. They all fall under the same umbrella as urgency and intimidation, just different buttons to push to get a person to act without thinking.
Expect multiple-choice questions that hand you a short scenario and ask you to spot the social engineering tactic. A classic stem describes an email claiming your account will be deleted unless you verify your password within two hours, and you have to name the tactic (that's urgency). Other questions ask you to pick which example is a social engineering attack out of several options. Your job is twofold: recognize the indicators (an unsolicited message, pressure to act fast, a threat, a request for sensitive info) and explain why the tactic works, tying it back to the psychological principle. Know the difference between urgency and intimidation cold, since questions often hinge on which one a scenario shows.
Social engineering is the broad category of manipulating people using psychology. Phishing is one specific delivery method (a fraudulent email pretending to be a trusted source). Every phishing attack is social engineering, but not every social engineering attack is phishing. It could be a phone call, a text (smishing), or an in-person con.
Social engineering attacks people, not technology, by using psychological tricks to manipulate someone into revealing info, downloading malware, or clicking a malicious link.
Urgency and intimidation are the two main tactics named in the CED: urgency rushes you, and intimidation scares you, both to stop you from thinking critically.
These attacks usually arrive by email, text message, or social media, but they can also happen face to face.
Victims who give up personal details like birthdate or a pet's name hand attackers the exact answers used for security challenge questions.
A victim might also reveal a one-time password (OTP) or login code, which lets an attacker log into a service as them.
It's the use of psychological tactics like urgency, intimidation, and elicitation to manipulate a person into revealing sensitive information, downloading a malicious file, or clicking a malicious link. It targets human behavior instead of attacking software directly.
Social engineering is the broad strategy of manipulating people through psychology. Phishing is one specific tactic within it, namely a fraudulent email pretending to be from a trusted source. All phishing is social engineering, but social engineering also includes phone calls, texts, and in-person scams.
No. It requires almost no technical skill because it exploits human psychology, not code or systems. An attacker convinces a person to hand over access voluntarily, which is often easier than breaking through technical defenses.
Urgency creates time pressure so you act quickly without considering whether the action is safe. Intimidation threatens you with negative consequences so fear pushes you to comply. On the exam, an email saying "your account closes in two hours" leans on urgency, while one threatening punishment leans on intimidation.
You might give up personal info like your name, birthdate, or pet's name that attackers use to answer security challenge questions, hand over a one-time password that lets them log in as you, or download malware that infects your device.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.