The scene you described helped me quickly grasp the whole situation! I'd like to add a new example. In your example, the most dangerous part is "the user being convinced to visit the BAD website." Here's my example:
- The scammer initiates a login attempt.
- The user receives a text message with a 6-digit code and might get confused.
- The user receives a phone call from the fraudster.
- The fraudster pretends to be a representative from the software platform, convincing the user there's an issue.
- At this point, another fake text message is sent, with a link to a convincing-looking platform.
- The user enters the 6-digit verification code they just saw on this fake platform.
- The scammer initiates a login attempt.
- The user receives a text message with a 6-digit code and might get confused.
- The user receives a phone call from the fraudster.
- The fraudster pretends to be a representative from the software platform, convincing the user there's an issue.
- At this point, another fake text message is sent, with a link to a convincing-looking platform.
- The user enters the 6-digit verification code they just saw on this fake platform.
- The scammer logs in successfully.