@Edent Good attack. Only by knowing that the bank will use this only to validate that YOU are calling THEM, not vice-versa, would I be able to confidently spot it. I hope Chase and others have already taken mitigating action.