There is an authentication between your phone and your telco, but there is no authentication between your telco and others. Any telco in the world (and there are many) or someone who has bribed (or hacked) someone who works there can say "this phone is now roaming our network" and traffic gets routed there.

These things are usually discovered but not before a call or sms goes through. There are also other possibilities such as diverting calls available to someone with the right access to the signalling network. Anything that's unauthenticated and unencrypted should be regarded as insecure, really.

If you can get S7 link with Telco, in most cases it's trivial to spoof Caller ID signals, as those are essentially forwarded from originating network. Getting direct S7 link isn't as hard as it sounds, it's IIRC common thing if yo want to run VOIP provider.

Your telco's NOC can at best track what "port of entry" the call came from but can't force the Caller ID go be truthful.

Once you have lived through reporting to a telco you have been dealing with fraud - you learn the procedures are in a scripted loop, everywhere. The answer will probably be go to store get new sim and never reach conclusion it was swapped for people who do not investigate their situation. I haven’t dealt with sim swapping yet some pretty heinous organized crime now and the folks are nice yet you will never walk away knowing the cause or source of an incident.