Why did they call? You focus much of the post on security best practices which is indeed very important but I think it would also be very helpful to know the reason they called to begin with. There's a huge difference between someone calling in the way you described to say "it looks like based on your account activity you might want to buy our XYZ service" and someone calling to say "this to confirm that $10MM bank transfer to that offshore account, now what's your account number again?".

Of course, they're not going to tell you the specific details until you've correctly answered the security questions anyways. A phisher would use this to their advantage:

  "Hi, I'm calling about some suspicious transactions on
   your account which I'm fairly sure aren't authorized, but
   I need to confirm with you just to make sure."

  "Can you tell me what those are?"

  "Sorry, I can't reveal specifics unless I can confirm I'm
   talking to the authorized account holder. [Ask security
   questions.] Thank you. Did you make a transfer of $500 to
   Pharma Laboratories in Albania?"

  "No."

  "That's what I thought, we'll go ahead and cancel the
   transfer. Your account will remain unaffected. Thank you
   for your time."

The only defense against this (other than initiating the call yourself) is to casually give obviously wrong answers, and see if the rep accepts them blindly. If your first pet's name was Buddy and you say Ninja, a real rep shouldn't accept that. That should work until a really sophisticated operation tries to do a live man-in-the-middle attack.