Should have written that more clearly. More accurate verbiage would have been "changing all my banking credentials, and enabling all possible notifications". I have no reason to believe other credentials were compromised, and have unique pw in place for nearly everything.
There seems to be broad consensus amongst the commenters that this is the most reliable defense against this kind of attack. Makes sense. If they are able to intercept my outbound calls, it's probably an entirely different level of sophistication and targeting.
OP here. Just a couple of the things I learned since I posted the Twitter thread:
- The caller spoofed the phone number of the bank. The bank was not in my contacts, so I did not notice. Someone else in the thread noted that they did have the bank's phone number stored, which upped the credibility of the call to them.
- The caller called me twice in rapid succession (First ignore the call from a number you do not know. Then they call back again immediately: "maybe this is urgent / important"). Another person in the thread, who fell for the scam, noted this same pattern.
- It is better if banks include a security warning / specific reason the code is sent with the password reset pins and similar credentials. My bank did not. Another twitter user noted being subject to the scam, and just glancing over the warning copy. So it helps, but it is not perfect. Especially pre-coffee.
- My bank no longer allows me to reset my password without calling them (thanks bank).
When I read the thread now, it's obviously full of red flags. I was successfully manipulated, and whilst I'm certainly not as clever as all the people pointing out they would have caught this from sentence one, I believe I'm also not the lowest hanging fruit in terms of a target :-) Makes you wonder what this will look like when these scams evolve another couple of generations in terms of complexity ...