I work for a large bank in the Fraud and Security department for our corporate online banking platform. As per our existing procedures, our call center agents ask for the following pieces of information for outbound calls - first/last name, company name and username. This has raised some concerns recently, as we are "grooming" our customers to be socially engineered. In fact, one of our customers fell for a vishing attack (gave up their OTP code and username over the phone to someone claiming to be from the bank) and claimed it was our fault as they were used to us asking for sensitive information like their username. We are trying to improve the process and balance security and identity verification with convenience for our users. Has anyone dealt with a similar situation before? Any suggestions on what pieces of information should be asked? The users would be in a possession of an OTP token with a unique serial number. We know their name, company name, phone number, DOB, token number, email address etc.
I didn't find the right solution from the internet.