Probably not news to anyone here, but partial step in this direction is to put down vetted official contact details for the institutions.
Every time someone calls to say there's a problem with your account, you ask for their name and/or extension number, because recontacting through the institution is your only good way of verifying their identity.
That works when the system is setup to allow that.
I've encountered banks that don't have that setup — hilariously one bank felt the need to cold call me about my complaint about cold calling from unverifiable numbers. When I asked how I could call them on a verifiable number, they claimed I couldn't. :/
Malware on your phone can reroute your calls to the attacker. So you think you're calling the official number at the correct institution, but you're actually talking to the attacker.
Well, yeah, and knowing first-aid is worthless if someone's been decapitated. :p
If some malware is that deep on the phone, able to redirect calls, then you've got much bigger problems and the attacker might not even need to trick any cooperation at all.