One option is for BT to send "push" notification to mobile devices which are registered on MyBT, Google have adopted a similar method, to improve their two stage authentication process.
If an account holder then received a random SMS code, they would know it was not from BT, and could ignore it.
Thanks for the feedback @Keith_Beddoe I will feed this back to the guys looking into improvements.
The advantage of "push" notifications is that they are targeted at the device ID and not the mobile number, so can only be received by the one which matches that ID. That device ID would have also to match one registered to the account holder.
I would expect that the development team were already looking at this option.