This is insecure because it relies on people having the app installed and knowing to check it. Why not call the user through the app itself? Why not send a notification through the app telling the user to find the official support line and call that?
Banks should not call you anymore since it cannot be trusted.
For context, the app is monzo bank. You can’t bank with them without the app, they’re a challenger bank. Essentially all interaction is through that app. What surprises me is that they didn’t just put a webrtc call function hidden in the app so they could call you over a secure channel in the rare case that they needed to call you.
Banks should not call you anymore since it cannot be trusted.