Oooof. Was just subjected to the most credible phishing attempt I've experienced to date. Here were the steps:

1) "Hi, this is your bank. There was an attempt to use your card in Miami, Florida. Was this you?"

Me: no.

2) "Ok. We've blocked the transaction. To verify that I am speaking to Pieter, what is your member number?"

Me: <gives member number> (that number, by itself, is useless).

3) "We've sent a verification pin to your phone."

~ Gets verification pin text from bank's regular number ~

Me: <reads out the pin>

4) "Ok. I am going to read some other transactions, tell me if these are yours. ~ Reads transactions ~"

Me: Yes. These are all legitimate transactions I made

5) "Thank you! We now want to block the pin on your account, so you get a fraud alert when it is used again. What is your pin?"

Me: Are you effing kidding me, no way.

6) Ok! But than we can't block your card

Me: that is bs.

~ hangs up, calls the fraud department of bank ~

--> Once I gave my member number, the attacker used the password reset flow to trigger a text message from the bank.
--> They used this to gain access to the account.
--> Then read some of my transactions to give the call more credibility

--> Needed the pin to send money, failed at that step.
--> Everything before the "what is your pin" seemed totally legitimate. English was perfect. The bank verification code, sent by the expected number, tricked me.
--> The asking for my pin over the phone... not so much.

Stay safe out there people.

And now... joyfully resetting all my passwords, filing a police report, getting additional fraud detection in place.

Never a dull moment!