Comment by necovek

The fact that they are easily spoofed is of no consequence for this use-case: entering an invalid 2FA code will simply fail to log you in into your banking. You should obviously not follow a link from an email that is not obviously coming from your request (and you should validate the top-level domain is what it needs to be even in that case), but you should be entering the bank web site directly.

The bigger problem is SIM swapping, which is more of a social engineering attack.