What do you expect?
Why are people surprised by this behaviour when "legitimate" businesses (banks, utilities, credit card & phone companies etc.) routinely do almost exactly the same thing as the scammers? They practically train their customers to hand over personal information to anybody who phones them up.
I've said it elsewhere before, but I'll say it again:
Legitimate companies frequently ring customers at home (completely out of the blue) and then arrogantly demand personal information and answers to "security questions" without ever proving who THEY are first.
These same companies then wonder why people get taken in by scams so often.
In the past I have often said to such companies that if they prove who they first then I will answer their "security" questions. But invariably the companies involved are far too stupid to realise that trust is a two-way thing. As a result, every single one of them refused to prove their authenticity to me.
They could have easily done this by using innocuous info - e.g. correctly stating 2 digits from my account number (or by quoting some other non-compromising info from a previous bill or statement that the customer could check). However, these companies expect only the call recipient to be verified, despite the fact that they're the ones who cold-called you, not the other way round.
To make matters worse, up until a few years ago, most companies would withhold their caller ID, and yet they still expected you to jump through all sorts of security hoops for the benefit of an unsolicited call from total stranger with an unidentified phone number.
I now just tell these companies to get stuffed (if I didn't request the call) even when I know that they're from legitimate businesses. The call is not usually for my benefit anyway, they're usually just trying to flog another one of their products or services. If it's that important then they can ask me to call them back on their main company telephone number.