Back to Blog

Utility Bro — a deep dive into a utility bill template farm

Photo of Jan Indra, Threat Intelligence, author of the blog post
Jan Indra, Threat Intelligence

What is the market for fake utility bills? How are their templates distributed? How much do they cost, and how do the vendors operate?

In the first edition of our “Threat Intelligence” article series, we take a closer look at a seemingly small-scale operation of “Utility Bro”, a template farmer focused specifically on producing and selling hundreds of different utility bill templates.

For most people, paying for utilities is one of those everyday life occurrences that you pay little attention to besides looking at how much water, gas or electricity cost you the previous month.

Even when you routinely receive your utility bills, chances are you almost never read anything but the total cost. It may then seem that a utility bill is simply a soon-to-be-discarded and forgettable piece of documentation.

In the widespread and ever-growing world of document fraud, that is quite the opposite.

Summary

     

     

    How can fake utility bills be used for fraud?

    To many businesses and institutions, utility bills serve more than just a record-keeping function. Their importance is elevated in document processing, onboarding, and underwriting processes, as utility bills are often being used as proof.

    Do you want to claim that you live at a specific address?

    “Hey, here’s my proof of address or residency, as this is where I pay for electricity, water or gas”.

    Do you want others to ascertain your creditworthiness?

    “If a bank statement is not enough, here’s a proof of my utility costs that I pay diligently.” 

    There are numerous other financial scenarios where utility bills might be utilized, making them one of the most popular templates for document fraud.

    This widespread use of these templates prompts many in the fraud community to ask the question — where are all these fake utility bills coming from?

    And what the hell is a template, anyways?

    With respect to document fraud, the term template refers to a file of a real document (or mimicking one) that can be edited to create numerous fake versions. These exist in numerous formats (PDFs, PSDs, PNGs, DOCs etc.) and usually include sample content, themes, logos, fields or graphs, often requiring only a substitution of personal data.

    GIF_UTILITY_BILL_USA_DUKE_ENERGYFigure 1: A standard fake utility bill template, allowing for fast replication with substitution of personal data. Notice the background and paper wrinkles, added digitally to imitate a physical document.

    Where are utility bill templates sold?

    Finding a fake utility bill template is easier than might seem at first sight.

    While one might expect that a significant portion of the fake document template market lives in the dark web, similar to drug or human trafficking markets, the reality is much less dramatic.

    Template farms — as providers of fraudulent document templates are called — operate right out in the open. In fact, you can try googling “utility bill template” right now and see for yourself.

    You’ll get tens of thousands of results. While not all of these will be useful, many will point you in the right direction, and you’ll come across a template farm sooner rather than later.

    The point is that the owners of template farms want you to find their “products” easily, just like any other B2C business.

    It should then come as no surprise that there is a huge number of these websites and online shops, as well as numerous corresponding social media pages, internet forums, and messaging app channels.

    Template farmers simply want to market themselves to the widest possible customer base.

    How are utility bills being sold?

    Then there is the question of ordering, payment, and distribution.

    Ordering through a messaging app is one common method, as template farms usually share their contact details on the websites. Standard channels include Telegram or Whatsapp accounts, and a generic (i.e. non-personal) e-mail address is typically provided.

    However, many of these websites function like ordinary online shops to avoid direct contact, running on platforms such as WordPress and online shop platform plugins like WooCommerce.

    Your shopping experience is as you would expect: you put templates in a cart, select a payment method, and receive your template in “less than 24hrs” — all while being continuously annoyed by a virtual bot/assistant offering help with template selection.

    In short, even template farmers strive to provide a swift and easy customer experience.

    And what about payment methods?

    Template farms often list PayPal or crypto payments as available payment methods. Quick to move and hard to trace is, unsurprisingly, the name of the game here.

    “Utility Bro” – a template farm specializing in utility bills

    “Wow my friend you are a genius! Excellent service thank you very much.”

    “Looks good thank you I will be needing you a lot more.”

    “Yeah man, just take away the date and it will be perfect.”

    “Do you think you’ll have it ready by today or tomorrow? Sorry I just really need to get this account ready.”

    “I really appreciate it man you don’t even know.”

    These are not your regular product reviews.

    In fact, all of these quotes are snippets of conversations between a template farmer and his customers, and refer to utility bill templates on one of the sites we investigated and analyzed — which, for the sake of confidentiality and security, we’ll be calling “Utility Bro”.

    The conversations are typically brief and straight to the point. Some of these even show special requests or comments by the customers regarding template quality.

    But they all end on a positive note, with satisfied potential future (or existing) fraudsters commending Utility Bro for his services, who himself claims to have “over 7 years of experience and more than 5,000 happy clients”.

    ARTICLE_UtilityBro_Conversation_1
    ARTICLE_UtilityBro_Conversation_2
    ARTICLE_UtilityBro_Conversation_3
    ARTICLE_UtilityBro_Conversation_4

    Figure 2: Screenshots of actual conversations between Utility Bro and his customers, featured on the website as reviews. Visuals were altered to preserve confidentiality.

    We first became aware of this farm when one of our clients inquired about a suspicious utility bill that seemed to have originated as a template.

    We started digging online, and soon enough, there it was. A marketplace containing over 400 of utility bill templates from across the world.

    Calling on our newly launched Threat Intelligence Unit, we dived in and analyzed the marketplace from various angles.

    What does the data on Utility Bro show?

    Here’s what we learned by thoroughly inspecting Utility Bro’s product catalog:

    How and when was the template farm launched?

    The current version of the website was launched at the end of last summer. While the website domain has been operational since 2010, it started out as a marketing-focused blog and only started functioning as a template farm in the last year.

    Wayback Machine data on the website domain show it has been operational since 2010, however, the template farm was launched in the middle of 2023

    Figure 3: Wayback Machine data on the website domain show it has been operational since 2010, however, the template farm was launched in the middle of 2023.

    There are a number of reasons why criminals would opt for obtaining an already existing domain, whether it’s a head start on SEO rankings, bypassing verification procedures, quick deployment or legal and regulatory evasion.

    There are then several possible interpretations as to how criminals obtain these domains:

    • the domain could have been legitimately sold to the current owner,

    • the domain could have been stolen, allowing for template farmers to circumvent standard domain registration processes and keep their identity hidden,

    • last but not least — however unlikely — it is possible that the people who originally launched the website transformed it into a template farm roughly 13 years later. But criminals like to stay anonymous, and such a scenario would likely make tracing the template farmers much easier, making it the most unlikely option.

    How much website traffic does Utility Bro generate?

    Using tools like SEMrush and Similarweb, we also got some idea about Utility Bro’s website traffic: The site gets around 15,000 unique visitors per month, on average, visitors stay around for about 7 minutes and visit at least 2 different pages.

    This might not sound like much at first glance. But if we apply very basic math here: Even if every 5th visitor bought just one template, that’s 3k potential fraud attempts enabled per month, and just for one website.

    Considering that some might purchase multiple templates, or use a single template multiple times, and that there are hundreds, if not thousands of these template farms, the scale of the fraud grows exponentially.

    Furthermore, website traffic tools like the ones we used provide indicative figures, and it can be reasonably expected that the actual website traffic is even higher.

    Inspecting the website traffic journey data, most people find the website through a simple organic search on Google or go to the site directly, i.e. they already know the site and visit it repeatedly.

    Looking at the trend (percentage change) in sources, it is evident that Utility Bro invests a significant amount of time and/or money into SEO optimization for relevant search queries such as “fake utility bill”.

    After finding the template customers were looking for, they simply go straight to payment, leveraging the crypto payment option through globally established services such as Coinbase or PayerURL, with a very small portion of visitors potentially checking out the referred social media page (Facebook, in this instance).

    ARTICLE_UtilityBro_Semrush_Diagram

    Figure 4: A diagram showing the template farm website traffic journey

    Inspecting the available data on audience geography, most visitors are located in Kenya (27.6% of total unique visitors), the United States (20.7%), with a significant portion of visitors located also in Namibia (9.2%), Taiwan (5%) and Greece (2%).

    Considering the prevalence of US-related templates (see map below), the percentage of unique visitors based in the US indicates a high volume of first-party fraudsters visiting the website.

    On the other hand, visitors based outside the US could often be engaged in a more sophisticated, organized crime activity.

    How big is Utility Bro’s template catalog?

    The website lists around 420 templates in its template catalog. Here, the fraudsters have shown some laziness in their web design investment, as all documents are labeled as utility bills, even though one can find fake bank statements, invoices, and pay stubs as well.

    Regardless, utility bills dominate by far, whether it’s electricity, gas, water, or telecommunications.

    What is the geographical coverage?

    The catalog lists templates referring to more than a 100 countries, across all continents and regions, with a notable omission of numerous African countries.

    ARTICLE_UtilityBro_Country_Map_RAI-BlueFigure 5: The data shows Utility Bro’s global geographical coverage,
    offering utility bill templates related to more than 100 countries.

    The United States dominates by far, with almost half of all listed templates faking documents of (mostly) utility companies operating in the US.

    The reasoning behind this could be that people from all over the world could potentially want to claim to be based in the US to get easier access to banking services or credit facilities, as well as employment or educational opportunities. Tax advantages, immigration benefits, cultural and social perception, high internet penetration of financial services or simply the overall size of the economy and scale of financial services – all of these could factor in to some degree, as there are a myriad of ways that a fake utility bill can be used further for fraudulent activities.

    Low prices, high probability of large-scale fraud activity

    The price of the templates is between $20 to $50. The main factors influencing price are country reference and template format. Templates referring to European countries are the most expensive, with North America close behind.

    However, the regional differences are not that significant — on average, we’re talking about a couple of dollars difference.

    As with so many other businesses, template farms also routinely try to entice their customers by showing a discounted “on sale” price as opposed to the original one. Not that anybody could actually assess that—  recommended retail pricing (RRP) doesn’t really apply when it comes to selling illegal goods.

    Regarding formats, editable PDFs cost significantly more than PNGs or JPEGs, as the price can go up by as much as 50–60%. That being said, buying a PDF from Utility Bro is always bundled together with the template image format, i.e. the more expensive option includes both formats.

    The explanation here is relatively simple – PDFs are more easily editable, somewhat harder to produce, and can be more effective when trying to bypass traditional document verification checks as they can pass for legitimate to the naked eye.

    PDFs also allow for easier and faster replication and scaling, should fraudsters desire to use the acquired template for multiple fraud attempts (and they often do).

    No document is safe from template farmers

    Template farmers don’t discriminate when it comes to choosing a company whose document they will templatize.

    Utility Bro sells templates referring to more than 350 different companies (aka issuers).

    These range from small, city utility companies to large energy or telecommunications conglomerates. Large companies with over a thousand employees are the most targeted (around 60%), however, smaller businesses with under 250 employees are also significantly represented.

    ARTICLE_UtilityBro_Issuer_Size_Category_CompFigure 6: Size Category (no. of employees) Comparison of Document Issuers

    Industry-wise, even though Utility Bro focuses on utility bill templates, thus logically making utility, energy, or telecommunications companies the most coveted industries, the issuers can also come from other industries like municipal services, banking or financial technology.

    ARTICLE_UtilityBro_Issuer_Industry_Comp

    Figure 7: Industry Comparison of Document Issuers

    Essentially, no company issuing documents can consider itself out of the scope of template farmers, especially considering that they continuously review and expand their catalogs.

    How do we know?

    We’ve already noticed that numerous product pages became dysfunctional over the time of our research, pointing to the vendor possibly removing templates that might have been compromised or that have become outdated in some way.

    This also clearly indicates that template farms are not just static marketplaces, but are actively managed on a daily or weekly basis, further supporting our insights into target scope and template catalog management.

    How we approach and fight template farms

    We continuously develop and improve our document fraud detection solution to account for identified template farms.

    The example of Utility Bro laid out above shows a template farmer we are properly flagging when his template has been used for creating a fake document submitted to one of our clients.

    Processed documents whose origin might not be initially known and are used repeatedly—despite change in backgrounds, settings, etc. in the photograph—have always been adequately flagged as belonging to a serial fraud attempt carrying a higher level of risk.

    However, we are now adding our threat intel to provide additional context tying document origin to specific template farms, and its risk implications.

    Just as tugging on a single thread can unravel an entire tapestry, automatically identifying one set of fraudulent documents as being part of a templated based serial fraud attempt via our Document Forensics product allows us to investigate both the regular and dark web to trace back to the source—uncovering the vendor's web of operations and exposing all the other fraudulent templates they might be selling. 

    And we dare tease one such implication of late: template farms do not operate in isolation. On the contrary, these distribution channels can be highly connected.

    But more on that next time.

    One template farm down, many more to go

    The market for fake document templates is massive, and obtaining one is (unfortunately) relatively easy and cheap.

    Considering the endless number of fraudulent activities a fake document such as a utility bill (or many others) can be used for, it should come as no surprise that this issue is not going away.

    That is why we will continuously focus on template farms, investigate them, and provide more content on how these entities operate, how interconnected they are, and what are the broader implications of this for the document fraud landscape.

    Stay tuned.

     

    Want to learn more about template farms and serial fraud?

    Register for our upcoming webinar (September 19).

    WEBINAR_3_BANNER_1