@Edent Man-in-the-middle, I would wager.

I.e. the con is calling you up, then initializing a password restore interaction with your bank, timed so that you accept the verification, giving him access.

I only ever accept that sort of verification on calls that I have initialized myself.