Rather than a recognizable number, users should be prompted to select a matching non-pronounceable glyph. Something like the keypads from KTANE [1].
That makes it impossible to text or speak it to a phisher.
Bonus points if you show the symbol as a noisy animated glyph, something like [2], or a link to a DRM'd video showing a symbol. That would make it very difficult to view even with screen recording or remote desktop software.
There is a substantial class of users this would be too much to ask of, i.e. they wouldn’t understand it or would assume that they are being scammed somehow.
The thought of using unpronounceable text to deter phishing attempts reminds me of putting illegible Unicode as challenge question answers to prevent the CSR from giving an account away to convincing social engineers.
That makes it impossible to text or speak it to a phisher.
Bonus points if you show the symbol as a noisy animated glyph, something like [2], or a link to a DRM'd video showing a symbol. That would make it very difficult to view even with screen recording or remote desktop software.
[1] https://www.bombmanual.com/web/index.html#:~:text=On%20the%2...
[2] https://www.youtube.com/watch?v=RNhiT-SmR1Q