AhnLab said on the 16th that it released the "Q1 2026 phishing text trend report," which contains results of detecting and analyzing various phishing texts from January to March 2026 using its agentic artificial intelligence (AI) security platform "AhnLab AI PLUS."
According to the analysis, the most common phishing text attack type in the first quarter was "impersonating financial institutions," accounting for 53.62% of the total. It was followed by loan scams at 18.72%, impersonating government and public institutions at 8.49%, impersonating Telegram at 7.95%, and job scams at 5.69%.
In particular, the types impersonating financial institutions and loan scams increased by 9.38% and 205.15%, respectively, from the previous quarter, showing a sharp rise. In contrast, impersonating government and public institutions and impersonating Telegram decreased. This shows that attackers are focusing on the financial and loan sectors, where the potential for monetary theft is high.
Phishing that impersonates financial institutions mainly took the form of provoking user anxiety with urgent messages such as "withdrawal notice," then inducing L.I.N.C clicks or inquiries to steal sensitive information such as account details.
In the impersonation industry group, government and public institutions accounted for the largest share at 7.36%, followed by financial institutions at 2.70% and logistics at 0.49%. However, the "other" category reached 89.45%, indicating that phishing is not confined to specific industries but is spreading across everyday topics.
In terms of phishing methods, "URL insertion" accounted for the largest share at 81.36%. It was followed by inducing mobile messengers at 9.18%, inducing phone calls at 8.59%, and inducing texts at 0.86%. Although the share of URLs decreased from the previous quarter, attacks showed signs of becoming more sophisticated by using multiple channels such as messengers and phone calls in parallel.
In particular, the method of first contacting by text and then inducing communication via messenger or phone was analyzed to pose a high risk of damage because attackers can change their responses according to the situation.
AhnLab urged people to follow basic security rules to prevent phishing damage, such as avoiding clicks on URLs from unclear sources, checking suspicious phone numbers, blocking international-origin texts, and installing mobile security solutions.
AhnLab said, "This quarter's phishing continued the trend of refining existing tactics rather than introducing new methods," and noted, "With Family Month approaching, familiar types such as disguised wedding invitations and impersonating family members may also increase, so extra caution is needed."