I'm fairly certain I annoy the people at my bank because I always insist on calling them back at their official number if they ask for any personal information. I don't fuck around with my bank security. I did however get got a couple of more years ago back when the chrome browser window phishing attack first started and had my Steam account stolen for a solid minute.
That's the attack where they simulate a browser window so what you think is a oauth popup is actually just inpage javascript and CSS.
Yup, what you're describing sounds inline with how Corey Doctorow fell victim to fraud.