AhnLab's analysis of phishing text messages in the second quarter this year found that loan scams accounted for more than 60% of all attacks.
AhnLab said on the 15th that it released the "Q2 2026 phishing text message trends report," which detected and analyzed phishing texts based on its agentic artificial intelligence (AI) security platform "AhnLab AI Plus."
According to the report, the most common phishing text attack type in the second quarter was loan scams, accounting for 62% of the total. That was followed by impersonating Telegram (17.38%), impersonating financial institutions (8.97%), impersonating government and public institutions (6.60%), job scams (2.22%), impersonating delivery companies (1.37%), impersonating family members (0.51%), and disguising as initial public offering subscriptions (0.27%).
Loan scams and Telegram impersonation attacks increased 162% and 71%, respectively, from the previous quarter. In contrast, family impersonation attacks fell 31% in the same period. Analysts said attackers shifted from impersonating family and acquaintances—which requires prior research and trust-building—to methods that prompt immediate responses by luring users with financial benefits or messenger account verification.
Loan scams were the second-most frequent type in the first quarter, but rose to No. 1 this quarter. The method inserts a messenger ID into the text message along with phrases such as emergency support, low interest rates, and high limits to lead users into one-on-one chat rooms.
Among the industries impersonated by attackers, financial institutions were the most common at 52.92%, followed by government and public institutions at 38.96% and the logistics industry at 8.12%. Many cases involved impersonating banks, card companies, and securities firms to make it appear as though loans, withdrawals, card use, or unusual transactions had occurred, prompting immediate action.
As for phishing methods, luring to mobile messengers accounted for the largest share at 43.89%. URL insertion was 40.33%, inducing phone calls was 14.86%, and prompting text replies was 0.92%.
In the fourth quarter last year and the first quarter this year, URL insertion accounted for 98.99% and 81.36%, respectively, but in the second quarter, attack paths were dispersed across messengers, URLs, and phone calls. Observers said attackers are using multiple channels together to evade security detection and increase the likelihood of success.
AhnLab said, "Loan scams and Telegram impersonation phishing, which emerged as major threats in the second quarter this year, are not newly introduced attack types but existing techniques that have become more sophisticated and are rising again," adding, "Every summer sees an increase in phishing attempts disguised as airline tickets, lodging reservations, and vacation events, so people should make it a habit to verify the authenticity of texts from unconfirmed sources."