I get these inbound communications all the time and many banks actually use them to communicate with you. Each time, I have always sheepishly said "This is kind of how people get scammed right. Do you mind setting it up so that if I call back the account exec will know what to do? It's just I'd feel foolish if I got scammed this way" and then I end up calling back and with a little work get where I wanted.

I think the reality is that people think "Oh couldn't be me and am I going to be the weird security guy" so it isn't whether you know software and security etc. that determines it. It's whether you're willing to be embarrassed frequently in these conversations.

I've had the banks call me, Coinbase scammers call me, all sorts. I'm at the point where I block my own area code (which is from a different state where I have a few people whitelisted fortunately) and that's eliminated a lot of it.

I don't mean I can't be scammed. Just that perhaps some mitigation comes from willing to be socially awkward and insisting to someone that you want to do it by the book.