its for most part quite easy to do "SS7" (all SMS show on a web page)
or they hijack the phone accounts (sim swap so they have a sim card with there number so can get the SMS codes) typically they convenience they are you and get them to do a sim swap (seen some mobile companies Reactivate a sim card after it was reported by the owner as hijacked account stolen a lot of money from someone's account)
SMS is very insecure for someone who is targeting you
they should be using a 2FA APP or RSA keys
i wish Google would Let me not use a email or number for 1FA account recovery (they do have a locked down account mode where you have to use 2 U2F keys (one is U2F bluetooth/NFC push button, second one is backup and account recovery), even if i have 2FA enabled on my account,
if i remove the recovery options i run the risk of never been able to get into my account if its locked out for some reason, as it asks for things that i don't know (my phone it self should be the ultimate trusted source but that can be Delinked from the google account)