Color me skeptical here or perhaps this is just an aberration. I've been with Vanguard financial services for more than 30 years and I've never received any phone calls. All recent communication has been via email with a non-clickable link telling me to log into my account and check my messages.
I most definitely have had this occur, and Vanguard is hardly the only offender. Basically, every single financial institution that I have dealt with has done this. Prior to leaving HSBC when their checking rates plummeted, I had a lengthy discussion with one of their reps about the issue.
The solution? I never answer the questions. I ask for their name and a number/extension that I can call back from. I then either confirm that it matches the ones I know, or call their mainline and request to be transferred.
I've had this happen when I submit a text request and my account manager decides to call instead of responding via their (horrible) internal messaging system.
I know my account manager's name, so it is less of a concern, but that's only because she's helped me out on some thorny issues. I could imagine this being more problematic if there isn't a pre-existing relationship.
Why did they call? You focus much of the post on security best practices which is indeed very important but I think it would also be very helpful to know the reason they called to begin with. There's a huge difference between someone calling in the way you described to say "it looks like based on your account activity you might want to buy our XYZ service" and someone calling to say "this to confirm that $10MM bank transfer to that offshore account, now what's your account number again?".
Of course, they're not going to tell you the specific details until you've correctly answered the security questions anyways. A phisher would use this to their advantage:
"Hi, I'm calling about some suspicious transactions on
your account which I'm fairly sure aren't authorized, but
I need to confirm with you just to make sure."
"Can you tell me what those are?"
"Sorry, I can't reveal specifics unless I can confirm I'm
talking to the authorized account holder. [Ask security
questions.] Thank you. Did you make a transfer of $500 to
Pharma Laboratories in Albania?"
"No."
"That's what I thought, we'll go ahead and cancel the
transfer. Your account will remain unaffected. Thank you
for your time."
The only defense against this (other than initiating the call yourself) is to casually give obviously wrong answers, and see if the rep accepts them blindly. If your first pet's name was Buddy and you say Ninja, a real rep shouldn't accept that. That should work until a really sophisticated operation tries to do a live man-in-the-middle attack.
