The scene you described helped me quickly grasp the whole situation! I'd like to add a new example. In your example, the most dangerous part is "the user being convinced to visit the BAD website." Here's my example:

- The scammer initiates a login attempt.

- The user receives a text message with a 6-digit code and might get confused.

- The user receives a phone call from the fraudster.

- The fraudster pretends to be a representative from the software platform, convincing the user there's an issue.

- At this point, another fake text message is sent, with a link to a convincing-looking platform.

- The user enters the 6-digit verification code they just saw on this fake platform.

- The scammer logs in successfully.