@Edent I think it’s just not possible for the average person (or maybe anyone) to evaluate these situations correctly. It’d be better for people to have a blanket rule *never* to trust any incoming call from a business under any circumstances. Hang up the phone, find the number of the business through some trusted channel, and call them back. Don’t try to suss out whether the call is legitimate.
It’s surprising to me that businesses that ought to know better are training people to do exactly the wrong thing. I got a text message from Citibank recently about suspected fraud, asking me to call a phone number they provided. I ignored that number and called the number I found in their app. After working my way through the phone tree, I eventually made my way to the fraud department, where they proceeded to ask me a bunch of questions about sensitive information. It turns out the text message was legitimate, and Citibank expected me to call them at a number that arrived at my phone unsolicited and hand over a bunch of sensitive information.
Citibank’s own fraud protection page warns you of this exact scenario: “Named for SMS (Short Message Service), the technology used for cell phone text messaging, SMiShing messages appear to be from a legitimate company and typically contain a link that takes you to a spoof website or asks you to call a phone number.”