Completely my understanding too & that a email alert should be sent to the register email address when changing account details.
Which is why those undertaking these scam/hack have also started attacking the associated mobile service where they in essence re-register the service to a different imei number so the sms alerts /2fa get sent to a different mobile. I’m unclear what steps (if any) are taken to address the email aspect.
These are certainly less frequent & more sophisticated attacks but seem to be on the increase, hence asking the op about the nature of 2fa & advising a quick check on his mobile operation.