"if I call your office, do I get you?"
It was actually the ISP of a webshop I did work for, who asked me that. My answer was that no, I wasn't at the office, but if they'd call the owner (who had asked me to act on his behalf) on his mobile (and they did have that number already, didn't they?) as he also wasn't at the office, he'd verify the story and give them my number and I'd be reachable there.
My experience with banks, OTOH, isn't quite as good. Like a certain one that had a "webchat" where you'd be connected to someone with only a first name who'd ask for date of birth and such. That "chat" thing ran on a third party site, and no ssl in sight. Subtle.
But it gets worse. Nearly everybody who needs to do authorization actually asks for authentification or worse, /identification/ as if that'd prove anything--requiring "governemnt ID" and often as not taking a convenient copy or scan (that might get lost somewhere too, it's happened) that contains enough information to impersonate.
This is a problem of mindset as much with verifier as with the verifee --failure to ask for counter-verification--, as failure to understand just how this whole thing works or even what the goals must be. Moreover, this is how the government structures the field through providing only identity documents.
It oughtn't be too hard to provide cryptographically secure carriers of /authorization/ instead, then add zero-knowledge proof sauce for added privacy protection. That way, the government would actually help provide a level field for this sort of thing. But they don't, for they don't understand it either; the whole thing grew out of administrating the birth-and-death registry, not from a desire to facilitate anything in a secure and privacy-protecting manner.
This is quite possibly the largest, deepest rooted, worst understood, unsolved problem of our time.