Quote Originally Posted by Valkyrie_Lenneth View Post
No I mean, you have to put in the code it gives you when you log in right?

If you give them the code when you "log in" to the phishing site, then the 2fa is pointless because you gave them the code to get in.
A lot of (And my preferred method) of 2FA tokens are pushed. Meaning, you'll get a text, or a push to your 2FA app. Meaning, it can't get scammed like this due to the fact that the site would tell you to put in your 2FA, but you couldn't receive your 2FA token since you actually didn't attempt to sign in.

The scammers would get your login info, but they wouldn't actually be able to get into your account, due to the fact that they didn't get your token.