Low-Interest Loan Scams Top Phishing Attacks in Q2 2026

by BAEK SEO HYUN Posted : July 15, 2026, 08:44Updated : July 15, 2026, 08:44

AhnLab reported that the most prevalent type of phishing text attack in the second quarter of 2026 was 'loan scams.' The analysis indicates that rather than new attack techniques emerging, existing phishing methods have become more sophisticated, leading to a rapid increase in loan scams and messenger lure attacks.


According to AhnLab's 'Q2 2026 Phishing Text Trend Report,' loan scams accounted for 62.68% of all phishing attacks. This was followed by: Telegram impersonations (17.38%), financial institution impersonations (8.97%), government and public institution impersonations (6.60%), job scams (2.22%), delivery service impersonations (1.37%), family impersonations (0.51%), disguised public offering subscriptions (0.27%), and wedding invitation scams (0%).


Notably, loan scams and Telegram impersonations saw significant increases of 162% and 71%, respectively, compared to the previous quarter. In contrast, family impersonations and wedding invitation scams decreased by 31% and 96%, respectively.


Loan scams rose from second place in the previous quarter to first place this quarter. Attackers attract users' attention with phrases like 'emergency support,' 'low interest,' and 'high limit,' then insert a messenger ID in the text to lure them into one-on-one consultation rooms. They subsequently request personal information or demand advance payments or fees under the pretext of processing loans.


The most frequently impersonated sector was financial institutions, which made up 52.92% of the total. This was followed by government and public institutions (38.96%) and logistics companies (8.12%).


AhnLab explained that many cases involved impersonating banks, credit card companies, and securities firms, creating scenarios that required immediate action, such as loan approvals, withdrawal notifications, card usage, or reports of unusual transactions, thereby clouding users' judgment.


In terms of phishing attempt methods, mobile messenger lures accounted for the largest share at 43.89%. This was followed by URL insertion (40.33%), phone inducement (14.86%), and text reply inducement (0.92%).


This represents a shift from URL insertion-based attacks, which comprised 98.99% in Q4 of last year and 81.36% in Q1 of this year, indicating a diversification of attack methods utilizing various channels such as messengers and phone calls. AhnLab analyzed that attackers are using multiple channels to evade detection and increase their success rates.





* This article has been translated by AI.