Behavioral Baselines for SIM-Swap Fraud Detection in Customer-Care SIEM

During 2025 we conducted goal-oriented adversary emulation engagements against three Tier-1 mobile carriers, with explicit objectives around SIM-swap fraud and number porting. In every engagement, the operational attack chain — phishing, VPN pivot, CRM access, SIM-swap action — was detectable in the customer-care SIEM after the fact. None of it was detected in real time, despite each carrier having a mature SIEM deployment with funded detection engineering.

This writeup characterizes the agent-behavior features that distinguished fraudulent from legitimate SIM-swap activity in our engagement dataset, and proposes a behavioral baseline approach that does not require new tooling or data sources for any of the three carriers reviewed. The features fall into five categories: agent identity (login geography, time-of-day, device), session context (idle time, ticket queue depth, cross-customer activity), action sequence (SIM-swap immediately preceded by certain queries), customer attributes (account age, recent password reset, account value), and out-of-band signals (subscriber on a do-not-port flag).

We report precision and recall of a baseline rule-set built on these features, evaluated against a labeled dataset of 312 legitimate and 47 simulated-fraudulent SIM-swap actions drawn from the engagement record. The rule-set achieves 94% precision at 81% recall on the simulated-fraudulent set, suggesting that meaningful real-time detection is achievable on existing telemetry without machine learning models or new vendor tooling.

The discussion section addresses operational concerns including alert fatigue, the cost of false positives in a customer-care context, and the customer-experience impact of step-up authentication on flagged sessions.