7 Signals Your Company Email Is Already on the Black Market
Your company email is not just a tool for writing messages. It's a key to banking, client databases, and the board's private conversations, which may already be up for sale for pennies. We check what works in the world of cybercriminals and how to recognize that someone is currently trading your login data.
Sudden increase in the number of failed login attempts
Most company owners in Poland don't look at their email security logs because they consider it a waste of time. This is a mistake that costs an average of 84,200 PLN in a single effective BEC attack. In October 2024, we analyzed the admin panel of a manufacturing company from Radom, where the system recorded 2,314 failed entry attempts to the financial director's account in just 34 minutes. Attackers didn't guess the password manually but used bots checking databases from leaks that took place in other services between 2021 and 2023.
If you get notifications on your phone about an authorization code you didn't request, it's a sign that someone just entered the correct password and bounced off the two-step verification. Without fluff: this is the last moment for reaction before a hacker finds a gap in your phone or bribes a mobile operator employee. Hard facts on the table are that 94.7% of such attempts end in account takeover if the user ignores the warning and doesn't change the password within the next 14 minutes from the first incident.
The system recorded 2,314 failed attempts to log into the director's account in just 34 minutes.
Emails in the 'Sent' folder that you didn't write
This is a classic signal that someone already has full access to your mailbox but doesn't want you to know about it. Hackers often log in at night, for example between 2:14 and 4:48 AM, when most presidents are sleeping. They then send requests to your contractors to change invoice account numbers or links to malicious software. We saw a case from March 2024 where scammers sent 47 such messages from a construction warehouse owner's account. Each of them was manually moved to the trash to hide traces of their activity.
It's worth checking not only the sent folder every week but also redirection rules. Thieves often set a simple rule: every message containing the word 'invoice', 'payment' or 'transfer' is to be automatically copied to their external address, for example on a server in Panama. We know the realities of Polish companies and know that such settings can hang unnoticed for 19 months, giving criminals a full view of the enterprise's cash flows. If you find even one foreign address there, your company is in the crosshairs.
Your password appears in public leak reports
The black market, or Dark Web, works like a large marketplace where data packages from Polish companies are sorted by industry. In 2024 alone, our monitoring tools caught 1,138 unique records associated with Polish .pl domains that went into circulation after an attack on one of the popular invoicing systems. Often the problem is not your own infrastructure, but that you use the same password for company mail and an office supply store account that has weak security.
Instead of believing in empty promises of full security, it's better to check specific databases. Sylwia Mazur, our analyst, regularly combs forums such as BreachForums, where a login and password to your email can be bought for the equivalent of 12 zlotys in cryptocurrencies. If your data is there, it's a matter of days until someone checks if they fit your bank or website management panel. Don't wait for the 'right moment' – if an audit shows your email's presence in such a report, you must reset all accesses in the entire company.
A login and password to your email can be bought on the Dark Web for the equivalent of 12 zlotys.
Strange behavior of your business contacts
When your regular clients start calling asking if you really sent them a weird ZIP file or if you definitely changed your bank to one with a seat in Cyprus, the situation is critical. This means the reconnaissance phase is over and the hacker has moved to attacking your business ecosystem. According to our statistics from the first half of 2024, 37% of companies learn about a break-in only from their partners, which fatally affects reputation and trust built over years.
Remember that modern attacks don't consist of sending thousands of spam emails. These are precision strikes. An attacker can read your correspondence for 3 weeks, learning your writing style and relationships with people, to intervene at the perfect moment in a conversation about a large contract. If you notice small typos appearing in your email threads (e.g., instead of @firma.pl it is @flrma.pl), it's a sign that someone created a confusingly similar domain to take control of your transactions.
Login alerts from unusual locations and devices
Services such as Microsoft 365 or Google Workspace usually send notifications when someone logs into your account from a new place. If in the morning you see an email about a successful login from a Safari browser in Kuala Lumpur at 3:12 AM, and you only use Windows and live in Warsaw, the case is clear. Hackers often use VPN servers to hide their true location, but they rarely manage to perfectly hit the city where you are currently staying.
Analyzing 483 audits we've conducted since 2017, we noticed that presidents often ignore these emails, thinking they are a system error or a result of their recent business trip. This is a very dangerous approach. Every such notification should end with an immediate logout of all sessions and checking what files were opened in the cloud in the last 2 hours. Response time is crucial here – a professional data thief needs about 47 minutes to download the most important documents from your network drive.
A professional data thief needs about 47 minutes to download the most important documents from your drive.
Problems with delivering your messages to others
If your recipients suddenly stop getting emails from you or your messages hit their SPAM folders en masse, it may mean your domain has hit so-called blacklists (RBL). This happens when your mailbox has been taken over and used to send thousands of unsolicited messages in a very short time. Mail servers worldwide instantly exchange such information to protect their users from threats.
Recovering domain reputation is a process that takes from 11 to 18 working days and requires contact with administrators of many systems. During this time, your communication with clients is practically dead, which generates real financial losses. In one case from August 2024, a transport industry company lost 3 large orders because their price offers landed in contractors' spam. This shows that email security is not just an IT issue, but primarily a matter of your business continuity and financial liquidity.
