Ask them their name/ last initial, employee ID or unique identifier for the conversation, direct phone number, job title and what location they're based at. Scammers will pretty much always refuse/argue/hang up on this (once I had one start insulting my mother in Hindi when I asked him this). Then call your bank's proper number and verify all of these details.

(But in any case your bank will never call outwards to you, unless you've specifically requested that, which you almost never do.)

Or, which has worked great for me; just never answer the phone. If people need something they will email or chat. If not then it is not going to be important.

Nowadays, when banks call you here, they allow you to verify the bank is actually calling you with the mobile app - you can see their name and number they're calling you from in the app. Also, you can often verify you're you with the app too, same as any other app authorization, so you don't have to share any details over the phone. I feel like this is a pretty good improvement.

We have an app called bankid. If my bank calls me they'll ask me to open the app to auth, the app shows that the specific bank initiated auth and also says that they called me.

Same app is used to auth to government pages and all kinds of stuff online, even purchases.