1. To confirm any banking transactions - a separate phone number (and the push-button device itself), NOT a smartphone and WITHOUT the Internet!
2. Do not tell anyone, do not dictate and do not trust anyone.
"Drop" of doubts/suspicions - immediately call yourself back to your bank.

Get yourself two accounts. On one - to keep the main amount of savings. If necessary, pay - transfer money to the second account to which the bank card is attached.
Another good option is to set a payment limit for yourself, then they won’t steal a lot.
And one more thing: the two lines of defense, which you mentioned, must be tied to different devices. If it's an SMS, then you can have a simple dialer, it's harder to hack.
Well, and most importantly - do not tell anyone the pin code, etc. CVV. CVV would be nice to glue / paint over.

Xs how they "break" in your case, but here's a real example for you. Some time after placing the goods on the trading floor, someone rings on the phone. Then someone else. Then the phone suddenly receives a replenishment for a certain amount. After 15-20 minutes, the phone stops working (the SIM card does not want to register on the network). What happened? The attackers "recovered" the "lost" SIM card, knowing the numbers of the last few callers (and it was them) and the amount of the last recharge (and it was also them). Further, having a victim's phone, getting into the bank account of some banks is easier than ever, especially if you apply a little social engineering.
As a protection against this kind of fraudulent schemes, it can be recommended not to use mobile operators that make it so easy to "recover" a lost prepaid SIM card, not to use prepaid SIM cards, use contract ones (for banking operations), or link a prepaid SIM card to your documents ( it will be possible to restore it only by presenting a passport), but not all mobile operators have such a service. It is most reliable to use a separate contract number for banking operations (notifications, verification), not using it for regular calls.