One of the reasons that people get caught by phishing attacks is the banks idiotic behaviour when they call you in demanding you answer "security questions" - when *they're* the unknown quantity.
I always decline to do so, and try to explain that I'm not going to answer questions from some random stranger who's called my number, and nor am I going to call any number they give me - at least not until and unless they prove who they are to my satisfaction first.
Another example of cretinous behaviour on their part:
Most of my bank accounts are protected by 2FA of one sort or another. One day, using a shiny new laptop, I logged in to one of my accounts (that uses a PIN protected challenge/response key generator thingy), authenticated with multiple user codes, plus the 2FA response, arranged a regular payment _to an existing recipient_, received confirmation of payment and logged off.
A couple of days later, I went to log in again, to be told that my account was "not initialised properly" (or some such) and I could not login. Figuring this was some temporary glitch at their end, I tried again the next day. Still no access. After a couple of days of this, I gave in and called their support number. After passing their security questions, they told me that my account had been frozen (no payments out, internet access blocked) due to "suspected fraudulent activity" (the payment that I made online [by now] a week earlier [which they'd actually cancelled]). I asked what was the point of having and using 2FA and all their other security measures if they were all going to be overridden/ignored just because I used a new computer!
While I do appreciate that they are supposed to make efforts to prevent fraud, a single minor difference out of several test elements should not be enough for them to a) lock me out of my own account, b) cause payments to be summarily cancelled, and (most especially) c) do this all without making any sort of attempt to contact me in any way.