receiving wireless network data based on passive monitoring of a wireless network, wherein the passive monitoring includes capturing data packets from the wireless network at specific points;

identifying a subscriber identity module (SIM) card change in user equipment (UE) based on changes in identifiers in the captured data packets, wherein the SIM card change is identified based on i) international mobile subscriber identity (IMSI) or subscription permanent identifier (SUPI) and ii) Mobile Subscriber Integrated Services Digital Network (ISDN) Number (MSISDN) changes detected in the wireless network data, wherein the i) IMSI or SUPI and ii) in the MSISDN are stored as a pair in a database, and wherein the SIM card change is identified based on comparing extracted IMSI or SUPI and MSISDN contents to IMSI or SUPI and MSISDN pairs in the database;

identifying a commercial user communication with the UE after the SIM card change, wherein the commercial user communication is determined to be commercial based on any of i) a short message service, SMS, communication including any of a short code number and an alphanumeric sender identifier and ii) detection of an identifier of the commercial user in packet data to the UE, in the captured data packets, wherein the specific points are located separate from the UE and the commercial user such that the UE and the commercial user are unaware of the passive monitoring; and

detecting potentially fraudulent activity for the UE based on a combination of the SIM card change, the commercial user communication, and the length of a time period between the SIM card change and the commercial user communication.