Seriously who designed a system that habituates people to giving out 2fa codes over the phone?? That's explicitly a weakness of the 2fa system, nobody should ever read out or forward their 2fa code.
In this case it sounds like the user is calling ETrade, so unless the user calls a wrong number that just so happens to be a hacker it's unlikely this would be an issue.
Actually, that is a very common trick that scammers have used and still do. In the past they would buy Google ads or do some black hat SEO to get their fake number to the top of search engines.
Then, people searching for things like "Microsoft tech support" would get the scammers number and call it. Google and other search engines will even pull that number from your site and handily present it to you at the top of the search results to make it appear even more legit.
Taking over unclaimed Google map listings for businesses is also really common.
Simply buying a toll free number that is close to the customer service number for a large company is bound to get you more inbound callers than you care to scam.
So no, absolutely no excuses for teaching people to share their 2fa codes.
