They probably already had his login and password. The 2FA texts were legitimatel
from the bank as the scammer was using the login and password to gain access Then, because you're doing a "verification process", you read them the 2FA credentials and they have full access.