You got me thinking, so I went back to the report. The victim's call to the bank is something of a red herring, in that the scammers neither need the victim to make that call, nor to know that he did so (and I assume they did not know that.) I am guessing that the bank texted the code to the victim's phone in response to the call made by the fraudulent team, who were just hoping that he would read it back to them... which he did.
The victim unfortunately assumed, on verifying that the bank had a second call, supposedly to himself, in progress, that the bank had placed that call and that it was in fact the call he had received on the first phone.
The victim unfortunately assumed, on verifying that the bank had a second call, supposedly to himself, in progress, that the bank had placed that call and that it was in fact the call he had received on the first phone.