The thing that’s crazy is that if I followed the 2 “best practices” of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised.
Since when was “verifying the phone number” a best practice? Phone number spoofing is still a thing and trivial to do, which is why the best practice is to call back once you verify the phone number matches whatever the company lists (or, preferably, call their main number).
Since when was “verifying the phone number” a best practice? Phone number spoofing is still a thing and trivial to do, which is why the best practice is to call back once you verify the phone number matches whatever the company lists (or, preferably, call their main number).