A long time ago, I worked for an ISP that sent out the famous "we'll never ask for your passwords" email. Then, about 3 weeks in, they sent out emails asking people for their passwords. If you told me that this was a happy ending, he sent in a check and they sent a laptop and after 2 paychecks released his deposit, I wouldn't be shocked. Some companies are run by idiots. I even know that most companies could probably cover scammed hardware with business insurance, but then I wonder how many flying-by-the-seat-of-their-pants outfits don't have the insurance.
Hoping he wasn't scammed.
It seems it was one of those cases where the "InfoSec" Department kept doing all these trainings how we don't do that and why but some manager or head decided to sent that email and surely cant face repercussions due to influence.
In the end it fucks me because when I tell my dad "Oh they never ask for you password, so don't say it to nobody no matter what."
He "But when they asked us last year?!"