The procedure is as follows. You will be sent a link ingame to the supposedly official forum. In reality, the website you get to is of course a very well made fake. When you log in to this website, the attackers now have your login details. This is simple phishing, which wouldn't be a big problem if Square Enix's security wasn't so broken.

One-time password (2-factor authentication):
The attackers next set a one-time password (2-factor authentication), the account owner is now locked out of their own account. There is no verification at all, the account owner does not get an email to confirm this process. The email is actually already the 2-factor authentication. But this is simply ignored when creating a one-time password.

AFTER the one-time password has been set you get an email, in this email you have no possibility to select that you were not the person who created the one-time password. With this function, the account could be locked immediately and the attackers would have no further attack possibility.

Geoblocking:
Normally, Square Enix runs a process in the background that checks for suspicious behavior and temporarily blocks the account. This mechanism has already been triggered incorrectly several times for friends. But here, the real attacker was not stopped by it.

Change password:
It was not possible to change the password in time, because the service was simply offline. But it was possible to enable 2-factor authentication, why is this service not disabled as well if it is not possible to change the password? The account owner has no possibility to change the password in time.

Try to log in:
If you enter the wrong password several times when logging in, you are temporarily blocked, you now have to wait several minutes to try to log in again. Strangely enough, the attacker is not logged out of the game. So the account owner is blocked for a short time and cannot log in, but the attacker is still in the game and can empty the character.

Square Enix Support:
Since the beginning of the COVID-19 pandemic, official support has been hard to reach. It sometimes takes days to get a response. There is no quick phone support anymore, on the website a chat support is advertised, but after you have entered all important data for the support, you are told that the chat support is not available. And you get the info that an answer can take several days. In the game itself it is also not possible to talk to a GM immediately. Although in the FAQ is claimed that it should be possible. The attacker has DAYS to do all sorts of nonsense with the account. There is no excuse for the fact that the support is still so bad.

Other security measures:
Why is it not possible to lock the account by yourself? According to the same principle as this is done for years with credit cards? So the greatest damage could be averted directly.

TL;DR
An attacker can lock out an account owner from his own account in combination with phishing and the exploitation of the 2-factor authentication system. All of Square Enix's systems to prevent this do not work or have not been properly thought through.