The scammer calls the bank rather than trying to login. When calling, they will be asked to verify with info and the code which they will get from you. Think mitm but telephone based. The verification info (maybe just a zip code or last 4 of ssn or something publicly available) can be acquired beforehand so they only need the code to be relayed. Obviously they have to get the timing right, so you might be on the phone for a few minutes before they find a reason to ask for the code.