Agreed. No matter how tired and annoyed I was, I'd have stopped dead at the confirmation code that they asked for. There's absolutely no way I'd have given that to them, even if it meant cancelling my account and using a different bank.
That seems a bit extreme, but if their procedures are so crazy as to require circumventing another system's security procedures, I'm not going to bank with them.
I actually had a bank send me an email asking for information that came from another domain, had a header that looked liked it had been badly scanned in, and had links to domains they don't own. When I ignored it, I eventually got a notice that my car loan was in jeopardy because I hadn't provided that information.
They had no clue why I was so upset about that email.
I paid off my loan immediately and never looked back, even though the interest was less than I make off the stock market.
I think this is a statement easier to conclude in hindsight, especially as you are primed with "this story is describing a scam, definitely". The author describes the thought process and what ended up nudging them toward believing the scammer about the workflow. A code sent like this in a legitimate workflow could be plausible. Maybe it's a requirement to ensure that the customer is indeed acknowledging the operation and the CSR isn't taking actions behind the customer's back, for instance.
The author had a lot of signals pointing toward legitimacy to counteract their natural skepticism, it was a stressful situation and the nature of a phone call puts time pressure into the decision making, increasing the odds of a mistake.
Your example points out that false positives on the "scam or ham" decision do have a cost to the contact recipient too, so "never respond to anything" comes with risks and costs too. It's hard to be perfect.
> In order to do that, I needed to relay a confirmation code that would be texted to me.
Everything up to that point matches exactly what happened when I got a call from my own bank (Charles Schwab) regarding fraudulent charges. However, whenever Schwab sends me a code (or Bank of America, Coinbase, etc) the code comes with a message stating that an employee will never ask you for this code.
The fact that OP is an "expert" yet fell for this shows me that they are in fact not an expert here. Don't get me wrong, the execution by the scammer was slick, but I would expect an "expert" to be familiar with their own bank's policies:
"Wells Fargo will not call or text you requesting an access code. We may ask for an access code when you call Wells Fargo customer service. Always contact us using a trusted number on the back of your card or wellsfargo.com."
1) You don't hear about the stories where the scam is stopped.
2) As you have noticed yourself, legitimate banks do what they can to make their actual requests indistinguishable from scams, and "not falling for that" can have severe consequences.
That seems a bit extreme, but if their procedures are so crazy as to require circumventing another system's security procedures, I'm not going to bank with them.
I actually had a bank send me an email asking for information that came from another domain, had a header that looked liked it had been badly scanned in, and had links to domains they don't own. When I ignored it, I eventually got a notice that my car loan was in jeopardy because I hadn't provided that information.
They had no clue why I was so upset about that email.
I paid off my loan immediately and never looked back, even though the interest was less than I make off the stock market.