Even if you have OTP/2FA, the phishing links send you to a page where they ask you to put it in. So the instant you do, the bot on the other end immediately logs into your account, forcing you offline. And it works because the OTP code is still active for a bit before it expires.

From what I've read from other people, this is all done on the same page.

Whereas when you log into a legit Square Enix site, say Lodestone/Mogstation/Online Store, the OTP/2FA code is asked for on the NEXT webpage after you enter your login/password.