[Calamityjanitor]

MFA doesn't stop this kind of phishing. If you're tricked to put in your password, you'll likely put in your 2FA code right after. A yubi key or device passkey that uses webauthn can stop these methods, since the domain seeking authentication is checked and won't authenticate unless it's the original domain.

Even then, that won't help scams and fraud that just trick you into sending money, or direct you to install malware.

[rsanek]

surely it won't hurt. at minimum, it makes the attacker's job much harder -- their window to exploit becomes max 30 seconds instead of however long you don't change your password.

[Calamityjanitor]

Tools like evilnginx proxy the traffic, then grab the auth token / cookie after a successful login. From there you can send the session tokens to something like necrobrowser to automatically do whatever you want with the account. The whole hack can happen in seconds.