This final point can be actively tested and mystery shopped, and this is a good way to put theory into practice and identify remediation training needs. For example, a caller says they are from the IT department and need to check your password, or your bank phones to confirm details of a recent transaction - how does the recipient respond?
They should be aware that no one will EVER ask them to share a password by phone or any other way, and that if someone says they are from your bank or other trusted third party, the only way to verify this is to call them back on a publicly available number. If a patient phones to request results of a sensitive health screening, then they should be asked to provide proof of identity via pre-established security questions (preferably ones they haven't shared in a Facebook quiz), before the result is disclosed.
It's exactly these awkward, personal situations, where people are at their most vulnerable to manipulation and coercion, as they have to indicate a lack of trust to the caller. It's much easier to go along with what they say about who they are, not to break the established rapport, and wind up breaking a customer's confidentiality - or blowing their employer's carefully constructed security protocols wide open - by accidentally giving a bad actor the last piece of info they need to compromise their recovery email settings.
As different parts of the world unevenly emerge from restrictions on where we can work and travel, it's particularly important to bear in mind the impact that also has on security awareness and behavior. For example, it's only natural for everyone's guard to be lowered when they are working from home unexpectedly, because home is a place identified with safety. It feels like the most secure place you know ...
But perhaps you don't even realize that you have walked too far down the garden while on a call, and your personal mobile has defaulted over to the Wi-Fi at the pub over the road, which is completely unsecured with no password at all Suddenly, the advice you followed from your office IT guide to secure your own router and Wi-Fi connection is completely invalid, and despite the ringover end of the call being securely routed via encrypted servers, the last few yards of the connection via your own handset is wide open to the world.
More info: telecommunications engineer