Very recently, I was on the AT&T site to open an account. It was an HTTPS site and at sign-out, I got a pop-up offering a $15 rebate. Turns out that was a scam. It was possibly labeled "advertisement" inconspicuously. I don't know. The next pop-up was labeled advertisement and I exited, but probably too late. I have also gotten such spontaneous offers from Amazon, but they seemed legitimate.
So the question is, as everything seems to be going to 2FA, what happens if you require 2FA in return? That is, when some apparent big player calls you, before saying anything, require the caller to give a phone number that you can check and call back to gave give an access code. How can the resulting impasse be avoided?
Case on point, just yesterday, I got a robocall from my medical insurance company that wanted me to enter my birthday before giving me some "critical medical information." I hadn't through it through at the time, and the call was probably legitimate, but the information given was hardly critical.