Maybe don't submit your cell phone number as your official contact? Submit a number that is less prone to social engineering changing it, like a VoIP provider number that has no live human support.
I don’t know how they got my number. AT&T said I should have a verbal passcode one the account AFTER the damage was done. That would have been helpful for them to mention when I set up the account. Or you could buy a prepaid burner and use that.
If you use 2FA through an app instead of receiving text messages (assuming the service in question supports this) that would limit the ability to use the social engineering angle.