I feel like this is kind-of a solved problem in the jurisdictions where banks are liable for customer losses not arising from gross negligence.

If a bank calls their customers directly and trains them to get phished, the bank does not get to claim gross negligence when this happens and has to refund the customer.

If a bank tells their customers that they'll never call them (and actually doesn't), they have much better chances of claiming gross negligence on the part of the customer.