One thing I'll note is that a password manager is really useful here, and not for the reason you'd expect. If you get what looks like it's supposed to be a login page, and you hit 'auto-fill' on your password manager and it does not fill out, then that's a big warning sign that you might not be on the site you think you are. Because the password manager doesn't care what the site looks like, it looks at the URL and sees it isn't where it thinks it's supposed to be. That's half of the reason I have my parents using password managers now. (The other half being "please stop using the same 4 passwords everywhere, dad, or writing down every password in a notebook, mom; your approach to security is going to give me an aneurysm".)

I mean, even savvy sorts can have an off day and fall for it, especially if tired. One of my friends fell for this, even though they normally would not; they'd had a long day, they were exhausted, they logged on to check stuff and got a tell, and copy/pasted it to look at it without really thinking or fully engaging brain the way they normally would. (And lost a looooot of gil as a result.) Using a password manager's autofill would've probably provided the "Wait, why didn't that work?" moment that would've shaken them back to full awareness rather than exhausted-brain autopilot.

The 2FA token is great, but it isn't enough. Plus the Square-Enix 2FA token also has a very long timer on it; if you provide that 2FA code on a phishing site (as you are baited into doing on this one), there is more than enough time for someone to log in as you. I mean, even the standard TOTP or HOTP implementations that Google Authenticator, Authy, 1Password, etc. have are flawed that way; they just have shorter (30 second) timers. But with bots that could log in with the provided credentials, even the 30 second window would probably be long enough.

Though, I mean, the best (and final) defense against such things is "just be careful whenever you have a login page which you didn't type the address for yourself".