I've been contacted by my clinic before, by a nurse who's following up from labs or something. And it's tricky, because they need to be cagey for HIPAA reasons. A lot of times, a clinic leaving voice mail to confirm an appointment won't actually say what the appointment is for or who it's with, because that's giving away too much info. The nurse calling me needs to confirm that she's got the right person, so she asks for my name and DOB right off the bat.

I call it "authentication détente", because both sides of a phone conversation are no longer trustworthy enough to bootstrap a trusted connection. I say, just use some authenticated messaging on the Internet instead.

It is not uncommon for the fraud department to reach out to you when their heuristics have flagged possible fraud on your account or card. They will quiz you about your most recent transactions. They already know who you are. They shouldn't need to ask you about PII, just transaction details.

But it's helpful if you can recall what you've been doing with that card. You will always have the option to contact them via the number published on your card, but time is of the essence in catching fraud, or helping to clear a legitimate transaction.

>That seems strange. There should be a portal for the credit card somewhere.

Yeah, they don't. The bank seriously needs to up their game.

> Trust no inbound call

This needs to get on their website :)