Back to Resources
From Gas Bill to Enforcement
Anatomy of a Document-Driven Fraud
Fraud

From Gas Bill to Enforcement Anatomy of a Document-Driven Fraud

The Coalition of Cyber Investigators explore how a single exposed utility bill became the foundation of a sophisticated identity fraud operation, and why organisations need to rethink how they monitor publicly accessible documents.

Paul Wright & Neal Ysart13 July 202612 min read
Share

Introduction

At The Coalition of Cyber Investigators, we have worked with several companies that have recognised that exposed documentation bearing their brand, found in publicly accessible locations – whether real or fabricated – poses an unignorable threat.

On one hand, if it is a genuine document, issues such as customer or consumer protection, privacy, fraud, information security vulnerabilities, notification requirements and regulatory exposure come into play. On the other hand, if it is a fabricated document, amongst the many challenges is determining whether any of the details are genuine, and, if so, to what extent customers are at risk of fraud and how those responsible obtained real data in the first place.

In both cases, there is significant reputational and brand exposure, and important questions that need answering, such as "why didn't our cyber threat intelligence monitoring detect this?" and "what can we do to manage this threat more effectively?"

The following case study is based on real events that we have dissected to illustrate the potential impact of leaving this risk unmitigated. Details have been changed to protect the confidentiality of those involved.

Anatomy of a Document-driven Fraud

Laura was a compliance director at a mid-tier insurance firm in the United Kingdom. Highly experienced, she had never fallen for a scam in her life, was familiar with fraud and financial crime risk, and led by example, adhering to her company's policies and procedures to the letter. However, none of that mattered.

The attack that dismantled her financial life didn't start with a phishing email or a suspicious text message. It started with a gas bill. And to make matters worse, Laura had no idea this was happening – in her mind, everything was normal, until it wasn't.

Stage 1 - Reconnaissance

Somewhere on a publicly accessible file-sharing platform, a copy of one of Laura's old personal quarterly energy bills had been available online and exposed for the best part of two years.

This wasn't a secretive, difficult to find, dark web location – it was a highly popular online platform, that didn't require any special tools or techniques to access. The document wasn't part of a previous breach notification and hadn't been flagged by regulators or other alerting mechanisms. It was simply there - indexed, downloadable, and carrying her full name, home address, account number, and the name of her domestic gas supplier.

This is the publicly accessible gap that many organisations - and those providing cyber threat intelligence services - often underestimate. As Cifas reported in its 2026 Fraudscape analysis, identity fraud accounted for 54% of all filings on the UK's National Fraud Database last year, with over 242,000 cases recorded and the UK Finance Annual Fraud Report documented £1.1 billion in total fraud losses across 2024.

What none of these reports adequately addressed - and it is a point The Coalition have raised before - is the role played by exposed documents that are not part of a confirmed breach. In other words, real or fabricated documents that are publicly available, not because of a hack, but because they were purposefully uploaded to, scraped, or carelessly stored on a platform that anyone can access.

Laura's old gas bill was one of those documents.

Stage 2 - Fraud-as-a-Service (FaaS)

Fraud-as-a-Service refers to a dark market business model where complete fraud toolkits are available to order. Fabricated identity documentation, such as those witnessed in Laura's gas bill story, are just one example of the products on offer.

Fabricating documents is big business and easy for criminals to operate. All that is required is access to elements of real customer data, such as name, address and account number and knowledge of the format, layout, and appearance of genuine documents. This ease of fabricating makes modern identity fraud scalable and has created a market by making identity theft kits available to less-technical criminals. As a result of the genuine data on the gas bill, fraudsters were able to create an entire set of fabricated but realistic documents in Laura's name.

In fact, it was easy.

On the messaging platform, Telegram - which some researchers now call a "dark web on the surface web" - entire channels operate as "fraud vending machines". In Laura's case, the sequence looked like this:

First, a fabrication service - advertised openly in a Telegram channel with 14,000 subscribers - used the personal information from the genuine gas bill as a template to produce a matching set of forged documents in Laura's name: bank statements, council tax letters, and pay slips, all formatted and branded to match the layouts of genuine documents. The cost: around £8 per document (paid in the cryptocurrency Monero).

The turnaround: under an hour.

Next, a separate service generated a synthetic passport page in Laura's name. This wasn't a crude Photoshop version with obvious flaws and errors; it was a digitally constructed image complete with MRZ (Machine Readable Zone) code, holographic overlay simulation, and a face generated to pass basic liveness checks. According to Entrust's 2024 Identity Fraud Report, digital document forgeries surged 244% in 2024 and now account for 57% of all document fraud, overtaking physical counterfeits for the first time.

However, at the root of this sequence of events is the part that most fraud management frameworks miss entirely. The starting material - Laura's real gas bill was genuine, publicly accessible, and verifiable. Everything built on top of it was fabricated, but each fabricated document inherited the credibility from the real data set out in that original document. When a fabricated bank statement carries the correct name and address and is formatted to look identical to the real thing, a compliance officer comparing it against a utility bill is more likely to see consistency than fraud.

Europol's 2025 follow-up report, Steal, Deal and Repeat, describes this as a "Crime-as-a-Service" ecosystem, turning it into a marketplace where criminal actors no longer need technical expertise to commit sophisticated fraud. They simply purchase what they need, such as a forged document, a synthetic identity, a pre-registered SIM card, or a clean bank account, from specialised providers who operate with the efficiency of a legitimate supply chain participant. This level of criminal sophistication should concern every organisation, although in our experience, many are simply unaware.

In practice, it means the barrier to entry in the world of fraud has been removed. The only raw material required in Laura's case was an exposed document with which to baseline her identity.

Stage 3 - Building the Identity

Armed with a genuine utility bill and a supporting portfolio of fabricated documents, the fraudsters now had a complete identity package.

It's important to recognise that a utility bill is not merely a piece of paper. It is one of the most requested verification documents across financial services, insurance, telecommunications, and government. It meets Know Your Customer (KYC) requirements at most major banks but is rarely subject to validation.

From there, the development of a bogus identity using Laura's details followed a familiar pattern – one which investigators see frequently:

A prepaid mobile phone was registered in Laura's name using her address details and the fabricated passport page as proof of identity. This gave the fraudsters a phone number linked to her identity and provided the key to unlock the door of two-factor authentication.

A new bank account was opened in Laura's name at an online bank, and one with which she had no existing relationship. The application required a utility bill, a form of official photo ID, and a selfie. The fraudsters had all three: the genuine gas bill, the synthetic passport page, and a matching AI-generated face image. Now they were able to receive funds into an account they controlled and use it to move money elsewhere.

A credit application was submitted to an online buy-now-pay-later provider, using the utility bill, the passport page, the new phone number, and another fabricated document – this time another statement from a high street bank showing regular salary credits, normal spending patterns, and a healthy balance.

Further applications followed in quick succession – store cards, credit cards, personal loans, all submitted to a different provider, each using the same package of fabricated documents derived from the real data on Laura's gas bill. Every application was made in Laura's name, and every approval added another source of funds for the fraudsters and another debt Laura knew nothing about.

By the time she found out several months later, her credit record had been destroyed, and the fraudsters had long since moved on.

This is not a hypothetical sequence. It is a composite scenario drawn from real investigative casework, and every step in it exploits one thing: the unchallenged availability of both real and fabricated documentation on publicly accessible platforms.

Experian's own research confirms that synthetic and document-based identity fraud now accounts for nearly a third of all identity fraud cases in the UK, with false identity cases up to 60% year on year.

Stage 4 - Discovery

However, Laura wasn't going to let this go without understanding what happened. When she eventually started to untangle the sequence of events, she did what any experienced compliance professional would do: she traced it back to the source.

And the source was her gas company.

The gas bill had given the fraudsters her name, her address, and other unique identifying details, forming the anchor of credibility needed to fabricate a portfolio of convincing documentation in her name.

Since the gas bill had been stored in a highly popular publicly accessible location, it had been indexed by search engines, so when she searched for it herself, she found it within minutes. She discovered that the bill had been exposed for nearly two years. Nobody had told her. Nobody had taken it down. And the company whose logo was on that bill was a regulated utility provider with legal obligations to protect her personal data. This is not a surprise, as The Coalition has identified numerous examples of documents that have been publicly accessible for over a decade.

However, it wasn't just her bill that Laura found. On the same platform, she discovered hundreds of gas bills bearing her energy company's brand, some uploaded in the last few days and others left exposed for years. Some of them looked genuine, others appeared fabricated, but the sheer volume of documents was a surprise for Laura.

She found other utility bills bearing the brands of electricity suppliers, water and waste providers, internet, telephony and home media services, mobile phone bills. And perhaps most disturbing for a compliance officer - bank and credit card statements, investment portfolio valuations, SWIFT transfer messages, insurance policies and illustrations, KYC documentation, healthcare claim details – not in isolated volumes but in their thousands and covering regulated organisations not just in the UK but from all over the world. For criminals, this was a goldmine – for a compliance officer, it was a nightmare scenario.

Stage 5 – Regulatory Enforcement

Armed with this information, Laura began to prepare a robust, well-evidenced case that demonstrated the gas company hadn't met its regulatory responsibilities nor its duty of care towards its customers.

The gas company is a regulated utility. It has obligations under UK GDPR, the Data Protection Act 2018, and sector-specific requirements set by Ofgem. They now had to face some very uncomfortable questions from Laura:

"How did my bill end up on a public platform and why didn't you detect this, or any of the other documents that are publicly available? Even if they are fabricated, you still need to investigate to determine if it contains real data which could indicate a customer is at risk."

"Where were the controls? Where was the monitoring? If I was able to find these documents, why couldn't a well-resourced utility company?"

"Why didn't you notify me?" Under UK GDPR, where a breach is likely to result in a high risk to individuals, the organisation must inform those affected without undue delay. Laura's gas bill had been publicly accessible for two years. She was never told. Every fraud she subsequently suffered, the identity theft and the trashing of her credit record, could have been prevented, or at least mitigated, had she been warned in time.

However, the killer question was "Given that you never knew about these documents being available, how many other customers have been defrauded because I have seen hundreds of documents bearing your brand?"

The answer, in our experience, is almost always: far more than anyone expected.

Laura complained to the Information Commissioner's Office (ICO) and instructed solicitors. She also considered going to the press but regardless of whether formal regulatory action or legal proceedings followed, the damage to the reputation of the gas company had already been incurred – the story would read:

"A regulated company, trusted by millions of customers to keep their personal data secure, had allowed a bill to sit on a public platform long enough for it to be weaponised into a full-scale identity fraud operation. They are now facing enforcement proceedings".

The Cyber Threat Intelligence Blind Spot

Your CTI programme almost certainly monitors the dark web looking for credential dumps, mentions of your brand, and even analysing Telegram channels for stolen data. This is all good practice and an important weapon in the defensive armoury of any well-managed company.

But here is the uncomfortable truth: none of those tools are looking at the places where the documents in Laura's story were found.

The gas bill that started the chain wasn't on the dark web. It was available for download from a publicly accessible location – and not within the scope of dark-web monitoring. The same is true for the bank statements, mobile phone bills, and KYC document packs that we detect every day. They are not hidden behind Tor; they are unencrypted and have no access controls. They are indexed by search engines, downloadable by anyone, and invisible to the monitoring tools that most organisations rely on.

As the National Crime Security Centre (NCSC) has noted in its guidance on building threat intelligence capabilities, effective intelligence requires multiple layers - not just indicators of compromise, but situational awareness of the broader threat landscape. The exposure of documents in publicly accessible locations bearing your organisation's brand, whether real or fabricated, is precisely the type of scenario where that kind of situational intelligence is essential. Put bluntly - if your current tools are not covering it, you have a gap. It's the same gap through which Laura's entire fraud lifecycle passed undetected.

What OSINT Sees That Monitoring Misses

This gap is precisely the blind spot that the Coalition Exposure Tool was built to address. Using proprietary open-source intelligence and investigative techniques refined over more than 110 years of combined investigative experience, our team continuously monitors publicly available locations for exposed customer data and confidential business documents, as we believe that part of the problem is that many companies are unaware that this problem not only exists but is thriving.

The Coalition Exposure Tool currently catalogues these findings across three sectors - insurance, banking and financial services, and utilities and telecommunications - because those are the sectors whose documents are most consistently weaponised in fraud chains exactly like Laura's.

The Investigative Response

In Laura's case - or rather, in the real cases that Laura's story composites – the root cause of the fraud was eventually identified not by the bank, the insurer, or the energy company, but by an OSINT-led investigation that traced the exposed source documents back to the platforms where they had been sitting. We know this because it's a typical outcome in many Coalition cases.

That investigation followed a methodology that The Coalition have written about extensively: a structured combination of open-source collection, forensic-grade evidence preservation, and intelligence grading that turns raw findings into material that can withstand legal and regulatory scrutiny. It is not enough to know that a document is exposed. You need to know when it appeared, where it was indexed, who could access it, and whether the exposure is ongoing. And where fabricated documents have been produced from genuine customer data, the investigation must trace that lineage and link the fabrication back to the genuine artefact that gave it credibility.

This is the difference between monitoring and investigation - and it is the difference between knowing you have a problem and being able to do something about it.

What This Means for Your Organisation

If you are a Chief Information Security Officer (CISO), a risk or compliance leader, general counsel, or a board member, there are three questions you should be asking right now:

  1. Do you know whether documents containing your organisation's branding are exposed on publicly accessible platforms?

Not just if you've been breached or your credentials have been found on the dark web, but whether real or fabricated documents themselves - the utility bills, the policy schedules, the bank statements, the KYC packs - are sitting somewhere that anyone with an internet connection can find. Because if they are, they are already available for deployment in identity theft attacks – and that risk should never remain unmitigated.

  1. Does your cyber threat intelligence programme cover this surface?

Most CTI tools focus on dark-web forums, paste sites, and credential dumps. These are important, but they will not tell you that a customer's insurance schedule has been accessible from a publicly available location for the past three years, or that some of your organisation's KYC documents are indexed on an open-access site. If your monitoring stops at the dark web and isn't augmented with OSINT workflows, you may have a problem you are totally unaware of.

  1. Do you have a process to investigate, assess, and act on exposure findings?

Identifying exposure is the starting point of the journey, not the destination. The organisations that manage this risk effectively are the ones that treat document exposure as an intelligence requirement - something to be continuously monitored, professionally assessed, and escalated when it warrants action. That means having the right investigative expertise available, whether in-house or through a trusted partner, to turn a finding into an evidence-grade assessment that your legal, compliance, and risk teams can rely and act on.

The Coalition Exposure Tool was built for exactly these questions. It won't tell you everything. We are careful to say - as we explain on the tool itself - that what we make available is a curated sample drawn from broader monitoring. The actual volume of exposed material is often far larger. But it will tell you whether the problem exists, the documents involved, and which sectors are affected.

Beyond the tool, The Coalition of Cyber Investigators provides bespoke investigative support for organisations that recognise the need to go deeper, including full exposure assessments, evidence-grade reporting for legal and regulatory purposes, and the development of tailored OSINT workflows to help plug the gaps that CTI platforms often miss.

The companies that proactively detect these types of exposures are usually the ones that don't end up with tarnished reputations.

In an environment where a single exposed gas bill can be turned into a complete identity fraud operation within hours, waiting for your dark-web monitoring to raise the alarm is not a defensible strategy, especially given that cost-effective OSINT workflows can be slotted into your control framework, plugging the gap almost instantaneously.

Recommended Organisational Actions

1 - Determine whether branded customer documents are publicly accessible.

2 - Integrate OSINT-based document exposure monitoring into existing CTI processes.

3 - Investigate findings using evidence-grade methodologies.

4 - Assess regulatory and customer notification obligations on a case-by-case basis.

5 - Use findings to improve prevention, governance and customer protection.

Conclusion

The central lesson is not that every exposed document will result in identity fraud, but that genuine documents can provide the credibility criminals need to create convincing fabricated identities. Organisations that understand where their branded documents are displayed are better placed to reduce the risk of fraud, protect customers, and demonstrate effective governance.

OSINT should therefore be viewed as a powerful complementary layer within a mature cyber threat intelligence capability rather than a replacement for existing monitoring.

---

Authored by: The Coalition of Cyber Investigators, Paul Wright (United Kingdom) & Neal Ysart (Philippines).

©2026 The Coalition of Cyber Investigators. All rights reserved.

The Coalition of Cyber Investigators is a collaboration between Paul Wright (United Kingdom) - Experienced Cybercrime, Intelligence (OSINT & HUMINT) and Digital Forensics Investigator; Neal Ysart (Philippines) - Elite Investigator & Strategic Risk Advisor, Ex-Big 4 Forensic Leader; and Lajos Antal (Hungary) - Highly experienced expert in cyberforensics, investigations, and cybercrime.

The Coalition unites leading experts to deliver cutting-edge research, OSINT, Investigations, & Cybercrime Advisory Services worldwide.

Our co-founders, Paul Wright and Neal Ysart, offer over 80 years of combined professional experience. Their careers span law enforcement, cyber investigations, open source intelligence, risk management, and strategic risk advisory roles across multiple continents. They have been instrumental in setting formative legal precedents and stated cases in cybercrime investigations and contributing to the development of globally accepted guidance and standards for handling digital evidence. Their leadership and expertise form the foundation of the Coalition's commitment to excellence and ethical practice.

Alongside them, Lajos Antal, a founding member of our Boiler Room Investment Fraud Practice, brings deep expertise in cybercrime investigations, digital forensics, and cyber response, further strengthening our team's capabilities and reach.

The Coalition of Cyber Investigators, with decades of hands-on experience in cyber investigations and OSINT, is uniquely positioned to support organisations facing complex or high-risk investigations.

Our team's expertise is not just theoretical - it's built on years of real-world investigations, a deep understanding of the dynamic nature of digital intelligence, and a commitment to the highest evidential standards.