Well, I was over-cautious too, thinking that one of the genuine ones from a bank was a scam. In my defence, firstly, I spent quite a long time deciding but came down on the side of caution and, secondly I have been contacted by my bank in almost the same way as the example, for the same reasons, but the nature of the messages were different enough for me to think twice.
I'm pretty clued up, I screen my phone calls, use a password manager, have two factor authentication turned on, use a VPN if using WiFi away from home or mobile data on my phone, hover the pointer over email links and urls, keep my contactless card in the depths of my bag, and check my online accounts frequently.
All this security didn't stop someone from using my credit card number on a site that didn't carry out proper verification checks (my card details weren't stolen and my PIN not exposed), nor did it stop some thieves from hurling a brick through modern double glazing and trashing our things!