Many years ago, I have worked in a call centre for a bank and the process for calling customers was exactly what you’d expect from a scammer.
In the standard/credit card section (not, for example, credit card debt collections), it was rare to have to make outbound calls, but when they were needed, no information could be given out until the customer answered security questions. Some customers questioned this because it was exactly what they’d been told never to do. They were told that of course it was right to be cautious, and they could call back, but that they would need to wait in the queue and likely speak to a different person. This was all before they could even be told what they were being called about.
Perhaps half the people questioned the process upon receiving the call (“you called me, and you want ME to prove who I am?”, but very few hung up and called back.
From memory, this was mostly improved later on - no security questions needed unless some sort of action needed to be taken on the account.
This happened to me with Bank of America’s fraud department. I had a charge that tripped the fraud detector on a relatively new card. I don’t recall the sequence of events, but I believe I was prompted to request a callback from the fraud department. When they called back I had to answer a bunch of PII questions, and then they pushed a 2FA code to me and asked me to read it back over the phone. I told him, the 2FA message literally says to never give this number out to anyone, but they insisted it was necessary to continue. I was shocked that the banks fraud department would be so cavalier.
In the standard/credit card section (not, for example, credit card debt collections), it was rare to have to make outbound calls, but when they were needed, no information could be given out until the customer answered security questions. Some customers questioned this because it was exactly what they’d been told never to do. They were told that of course it was right to be cautious, and they could call back, but that they would need to wait in the queue and likely speak to a different person. This was all before they could even be told what they were being called about.
Perhaps half the people questioned the process upon receiving the call (“you called me, and you want ME to prove who I am?”, but very few hung up and called back.
From memory, this was mostly improved later on - no security questions needed unless some sort of action needed to be taken on the account.