This type of stuff is diabolical for old folks who just weren't inoculated to these scams. I feel terrible for them. Get calls often asking me to help interpret.
A few weeks ago I told them: "I will never be offended or hurt if you ask suspicious questions to check my identify if I suddenly need sketchy wire-transfers or a pile of Amazon gift cards."
Sometimes the best way to defang scams is to attack the social-factors and artificial-urgency they try to exploit.
In a similar vein, no legitimate institution should ever act punitively if you tell them that you're going to call them back through their official number/e-mail/site only.
Keep it very simple: never give an SMS authentication code to anyone on a phone call, in response to a text message or email, or as part of any checkout or purchase. They are only to be used when logging in to an online account. Anything else is a scam.
Even that may be too complicated, now that I read it back.
Unfortunately there are many companies that actually rely on SMS confirmation codes in real-time, which include reading it back to them.
A legitimate and generally well liked company, and its real helpful service representative used this method to verify my identify before they could finish their support effort.
yeah someone that gets paid a lot needs to talk to someone whos pay depends on implementing that IT consultants directives.
relaying security codes by voice is how the bad guys do it, dont train your users to think its normal.
its probably not a bright idea to have your phones camera pointed at your screen while 2FA-ing or password resetting, or else someone will watch you login, and will see your codes, and use automation to authenticate with your digits faster than you can move a cursor and click.
