I don't think the e-mail in the article is very obviously a 2FA code? I usually associate 2FA with something I use to log in somewhere; not to do some other operation which (presumably) already requires account access. To me, it looks like a Wells Fargo Apple Pay "Verification Code", which honestly could mean anything.

There are other signs, obviously. You could ask the question of, why is the e-mail asking me to enter the code myself while the customer support rep asking me to provide it over the phone? But as you well know, the author also asked that question, and arrived at a plausible enough sounding answer.

Regarding that last sentence: I have actually skimmed the e-mail many times now, and only when looking at it again to try to understand what you meant by "even that very email contained a reminder not to tell it to someone on the phone" did I actually see that part. I suppose I just started reading the standard "if you have questions call us on this number" text and skipped the rest of the paragraph. Brains are very good at extracting what they think is the relevant information and ignoring what they think is the irrelevant information, especially when in an active social interaction with another person who expects something from you.

I think any technical person should be able to analyze a play-by-play description of the events and explain exactly how each mistake could've been avoided. But I think most technical people could've made similar mistakes if they were caught in a vulnerable state of mind. I think sharing these kinds of stories, where even people who "should" know better got scammed, is an important part of how we learn to recognize scams. I think the vitriol in places like this comment section plays a part in making people avoid sharing stories like this.

> Indeed, even that very email she was sent contained a reminder not to tell it to someone on the phone.

Yes, as regular unformatted text and tucked away at the end of the very last paragraph that starts with standard boilerplate:

"If you did not request this code, or if you have questions, please call us at the toll-free number on the back of your card. Wells Fargo will not contact you by phone or text to request this code."

Worse yet, the second paragraph starts with "Important:". That implicitly signals that the most important part of the email is what follows. However, that's obviously not the case.

The email is absolutely horrible security-wise, it downplays the most important security bit while overplaying everything else.

I happened to read through the entire email while reading the story and spotted the text at the end, but I'm not that confident I would be as diligent in a real life situation, especially if I was tired, like the OP was.

Just about every regular person would easily fall for this.

> It's pretty obvious what is a 2FA code and what is not.

Unless you're distracted or otherwise having a bad day. Everyone has bad days, even experts. To stay secure you must be secure always, while the scammer only has to be successful rarely. This dynamic favors the scammer very strongly.