Yesterday I got a call from "Amazon" where they were saying that there was suspicious activity on my account and someone was buying an iPhone. She asked me to confirm that it wasn't me, and it was outside of my normal purchasing hours (early morning), so I did actually believe it at first, especially as I had another online account compromised recently.
As she was talking I logged in and there was nothing untowards in my order history, then I looked at the phone number and it wasn't from an Amazon number (I use Truecaller which tends to identify companies) but insteard a mobile. So my spidey senses were tingling. Then she said "A 6-digit OTP code has just been sent to your phone, can you read this out to me so we can verify its you?"
I said that I do not give those codes out to anybody, and I will hang up now and call Amazon security if I do see any evidence of a breach, and she hung up before I did.
I reported the number to Truecaller's database.
I can see how easily some people can be taken in though. Needless to say, I've updated all my security settings and passwords to the most stringent.