I've gotten calls from my bank before, where they tried to get me to authenticate after I answered the phone. I said "look, you called me, I'd be crazy to just answer the phone and give out personal info." They refused to provide any info that I could have used to validate that they were legit (like telling me something about my account number, when my account was created, etc.). They said I had to authenticate with them before they would tell me anything.

Sometimes the rep is understanding, and acknowledges that he would have the same reaction, but other times it's like they don't realize they're asking their customers to do something Very Stupid™.

Over a decade ago, I worked in a bank call centre, first as one of the people who would occasionally make those outbound calls and have those crazy conversations, and then later in their customer experience team. It was well known that those outbound calls to customers were a mess, but it was thought of as tricky to fix. The dilemma was that the risk department felt they needed to identify people, but not only were those people often hesitant to provide any info, we wanted them to be - for everyone else who called them, but not for us.

It was also difficult that when people asked whether they could call back, we encouraged them to, but couldn't guarantee they'd then speak to the same person. They'd need to just talk to whoever they got. That was usually enough to put the person off and they would just take the risk (unfortunately).

Edit: Just wanted to add that I personally didn't want the people to make an exception to their unknown caller scepticism. Perhaps this bugged me more than others, but I would strongly encourage them to call back, and then do my best to get the call-back transferred to me. For that and many other reasons which I like to think of as preferring quality over quantity, my stats were as bad as you'd imagine!

When that bank did really try to tackle this issue, they quickly realised that there was more than one level of risk, and for the vast majority of the calls, we could get by with very little of that customer verification process - basically just that we had called them on a number they had provided, and they stated their name (which I think was more as a recorded verification that they were at least stating they were the correct person). For the much smaller number of outbound calls with more risk, we could then ask the person to call back. Once the risk peeps were on board, it was vastly improved fairly easily.

I'm not in that space at all now, but it seems far easier than it was back then. A few banks I'm a customer of send notifications right into the online banking app, which the customer approves, confirming that they at least have access to that. I don't know what they do if you don't have the app installed. I do find it a little sad that it is yet another thing pushing you to need a smartphone (and to install yet another app). On the other hand, I think all of those banks require me to have the app to use as an authentication token to do any kind of online banking even on a desktop browser, so if you're going to do that, may as well take advantage of it everywhere.

It happened with Schwab. I've enabled option trading in one of my accounts and got a call from Schwab, asking to authenticate me. I told them I couldn't trust it's a legit call; give me a number and case number and I'd call back.

> … I had to authenticate with them before they would tell me anything.

Sensible. But this whole “we called you now prove to us who you are” mess is stupid.

“Hey, this is Carol from Le Bank. Please just give us a call back at our main number found in the app or on our website. Then you can reach me directly at extension 123.”