Their policy should just be to reset the password immediately and have the user set a new one. This is one hell of a risk.
That would imply they have to test that the credentials are correct though.
Otherwise I can just put somebody's user and put some fake password and they would reset it and disconnect the account of that user and annoy him.
Hot take: let the bank release tweets like this as a honeypot, and see who tries to log in.
ngl, as someone who's been cryptoscammed reasonably recently, everytime i see one of these posts i feel quite a bit more sympathy for the people who don't understand how to use the internet who do this shit. i did feel some sympathy before but now it's combined with the memory of the feeling of panic and then shame i felt in the immediate aftermath, and also understanding how these scammers are so effective.