It makes more sense when you realize it's an ass-covering exercise. Legitimate transaction blocked: "It's the user's fault for not calling the number, see, we called them and told them to call this number." Phishing: "It's the user's fault for calling the number, see, it says on our website you should never call any number." No matter what, it's always the user's fault for disobeying advice. A lot of things in our world are like this.
The whole concept of "identity theft" is this. Consider this: some dude D comes to bank B and says "I'm actually John Smith, given me $TONS of money". Bank gives the money and D disappears. Now B comes to actual John Smith and demands the money back. John is like "how it's my fricking fault that you gave your money to some random dude?!" And the bank pulls out the "identity theft" card out - you see, your "identity" got stolen, so now it's your fault for not guarding your "identity" properly, not ours! So now you should spend your time and money to fix it and we will treat you for years as a suspicious character, borderline criminal, for it. A very neat system.
I had a paper check stolen in the early 1990s. A Walmart accepted the check without its even being signed. So I reported it.
I cannot write a check at Walmart today. Not that I would; it’s antiquated even by US standards to do so. It’s that they fucked up and blame me, 30+ years later.
