alt Hacker News> The phishing site can forward the password and TOTP you type into the real system, gaining your access.
To me this seems harder to pull off than a fraudulent password reset (either via social engineering, or a hacked email account). My TOTP fell in the drink a few years back, and some accounts very hard to reset and others were too easy.
If you're targeting a particular person, social engineering is probably easier. If you just want to illicitly harvest some accounts, and aren't too worried about which ones, blasting out emails linking to hacked websites that fake the login & TOTP flow is very easy.