what is considered social engineering and what is considered shoulder browsing?

Is it when the attacker uses some kind of trik to fool a human due to the lack of awareness or weakness towards security

OR

when a attacker looks for a password over a shoulder ( I think this is called shoulder browsing but not sure please advice )

Social engineering uses human as vector of attack.
People usually are considered weakest link in security chain. Why would you spent hours trying brute force on database with low probability of success if you can ask and receive this information in few minutes?
Consider this: to brute force password you have to make at least tousends of tries, and probably after 3-5 account under pressure would be locked out, or IDS/IPS would block your suspicios source of attack (i.e. IP address).

Examples of "Classical Social Engineering" would be calling employees to collect as much as possible information about your company. After each call attacker becomes more familiar with particular enviroment and probably is able to act as employee to fake people on another end of phone line. Then he can collect more confidential information.
Another examples are dumpster diving or piggy backing/tailgeiting.

Modern Social Engineering is more coherent and joinly uses human weaknesses and technology. Examples?
Phishing.
Another one that I heard recently was related to pen testing, when testers droped some flash pen drives on the parking in basement of their client office. People enjoyed so fortunate accident - and immidietly connected pen drives to the office desktops. Few minutes later trojans established "legitimate" connections form internal office to pen testers servers... Both examples shows new trend in attacks - DMZ and firewalls are no more favorite targets. Endpoints in network (with non educated users as trigger) are used to start attacks on our networks.

IMHO social engineering, especially suported by sophisticated technology and lack of security awareness on network endpoint (desktops) users are one of the greatest threads/vulnarebilities pairs that creates huge surface for attackers. And this kind of attack may lead to some automation (phishing as example - can be used to attack browser, to get control over workstation), what makes it more dangerous.