A scammer wanting to access your account goes to the BT landing page , they already have your email for a million places you have given your email to in the past , or they speculate , A.Smith @btinternet  doesn’t need a genius to guess that ….. they click the ‘I forgotten my password ‘ link  as they are speaking to you with the phone number they probably got from the same source as your  email address  , they say they are BT and will send you a text to prove it  , they don’t need to know your mobile , they know  the BT ‘I’ve forgotten my password’ algorithm knows it ….you get a genuine text from BT with a one time code ….obviously if this were genuine and it was you on the landing page unable to remember the password you would use the code to access your account and change your password  , the text even says don’t divulge this code to anyone including BT , so if the scammer says ‘I’ve sent you a text tell me the code to verify it’s you ‘ , you should immediately then tell them to ****off , why would BT send you a text then ask you what it said ? 

If you genuinely wanted to access your account but couldn’t remember your password , and this type of  2 factor authentication system wasn’t available how would you access your account without calling BT  , possibly waiting a long time for an answer then having to prove you are who you say you are , or clicking a link that says we will sent you a reminder in the post , possibly a few days to wait until the postie delivers it …..unfortunately it is difficult to make a system that is convenient for the customer and impervious to scammers ….if any unexpected unexpected caller says  ‘ I’m calling you about a problem on your internet ‘ or anything else , when you haven’t reported anything , you just  say ‘ I don’t have  a problem ,  go away ‘  that’s with any unsolicited call not just BT   , if you are not sure , tell them if it’s important to write you a letter