How to distinguish between a scam and a genuine call?

If you're worried about the authenticity of a cold-call, don't try over-the-phone authentication in either direction. Simply ask for some basic information you can use to refer to the issue in follow-up:

1. Name of the company/service the account is for.
2. What is the nature of the issue/offer the caller wants to discuss?
3. Is there a reference ID (e.g.: ticket #) for the call?
4. Name and/or agent ID of the caller.

Important: Throughout this process, you should not ever give the caller any more of your information. The main point here is to assume that someone calling you like this is an attacker, for the entire duration of the initial call.

Question #1 should be answered by the caller before you even have to ask. Be especially wary if it's not. My wife once argued for a good couple of minutes with someone calling from the "Account Services Department", before she finally handed the phone to me. When I interrupted the caller to ask "Account Services Department for whom?" the caller suddenly hung up.

After you've gotten all you can from the caller, hang up. Then, obtain legitimate contact information for the company from a reliable source (do not use any contact info given by the caller, without verifying it first).

Once you've got known-good contact information, call the company yourself and ask about your account's status. Use information obtained from the caller as needed, to reference the incident.

Ask for their extension, then call the bank back with a number you trust. Most office phone systems allow you to get directly to any employee if you know that employee's extension, so hanging up and calling the bank back will not take more than a few seconds. If you have been called on an old style landline you should phone back on a different phone line or mobile phone as the caller could have kept the phone line open, and give out a fake dial tone or use a different person/voice. This will ensure that you have in fact reached the bank, and once you've reached the employee, you should be able to tell in a couple of seconds if it's the same person.

Admittedly, this does not protect against the possibility of an insider threat at the bank. But if the bank has an insider gone rogue, you (and the bank) have bigger problems.

I worked at a call center that handled services for several banks. The person calling was likely following procedure when they didn't tell you your account number. Since phishing scams are common against banks it was a fireable offense to give any account number without the customer verifying who they were and even though they called you they are still not allowed to assume the person that answers is the one they are trying to reach. Usually, and ironically, one of the verification questions we asked the customer was for them to verify their account number.

The best way to verify them is to get some kind of claim, order or support number to reference back. Get the phone number from your banks website and call them back with the details they provided, if they have no such reference number available they likely have a note tied to your account. You could also call or visit a local bank branch and see if they know anything about the issue, but it was common they would not and request you call the support line anyways.