Scammed for $60 million per year? Remarkable if true. We really do need to shake off SMS as a method of 2FA. It's horribly insecure.
How so?
It's reasonably trivial to intercept SMS messages over 2G, somewhat easy over 3G. Many phones use these (or fall back to them in case of weak signal). Attacks have been demonstrated over 4G too, but probably not as significant.
Trusting random telcos to send SMSes out for 2FA also increases the attack vector. Say you are Eve wanting to get Bob's 2FA code to log in (you can do a refused-reply attack on Bob's bank account log in page), now you attack the 2FA SMS service that Bob's bank uses, and you can obtain that 2FA token... then log in using Bob's session. Hopefully that 2FA service uses an SSL API, but even if it does, you need to make sure that telco is secure. And now do this for the hundred or so telcos you might deal with. If the 2FA was done on the device, using an app, then it could be an SSL protected message sent the whole way, and you don't really care how secure the connection is because it is irrelevant if it is intercepted (more or less)
Also, many people don't hide SMS message notifications on their phone, so 2FA codes appear if the device is locked. This is more of a user-security issue, but it would be avoidable if a push notification was used.
Edit: It's also vulnerable to phone-number theft, and having transferred a phone number in the UK, it's remarkably easy to do so. You just need your name and date of birth; for a UK company director, this is actually mostly public information! (Or if you use Facebook etc...)
https://securityboulevard.com/2021/12/why-using-sms-authentication-for-2fa-is-not-secure/