I don't know, I maintain that policy fairly strictly, but I can imagine falling for this.
I won't as a policy give out information to an incoming call, and I do call back if they want any info from me. But my working memory is not endless. The topic of discussion had changed three times before he was asked for any information, and the information still wasn't PII, it was a confirmation code. The scammer knew enough about him that he wasn't especially on alert. I can well imagine that flag in my mind that I was on an incoming call having been lost before we got to that point. And I suspect that's exactly how the scam was designed.
I won't as a policy give out information to an incoming call, and I do call back if they want any info from me. But my working memory is not endless. The topic of discussion had changed three times before he was asked for any information, and the information still wasn't PII, it was a confirmation code. The scammer knew enough about him that he wasn't especially on alert. I can well imagine that flag in my mind that I was on an incoming call having been lost before we got to that point. And I suspect that's exactly how the scam was designed.