First of all, the accounts these phishing messages originate from are mostly all bots. Message them as much as you like, you won't get a reply apart from the same phishing message you received in the first place, probably a couple of hours later. Phishing a bot won't work!
Steam 2FA that uses TOTP for mobile authentication won't save you. If you go to these websites and sign-in, they have integrated APIs so that you can log-in to steam through their website. After you've entered your OTP (One-time passcode) a selected bot simply has access to your account. From there, it can remove your phone number and E-Mail (steam allows users to change their E-Mail if they have steam guard on). At that point, all mechanisms used to recover your account do not exist.
You can open a ticket with steam support if your account gets hacked, and they usually parse through the recent activity (change in E-Mails, phones and IP addresses) and generally you get your account back. At that point, damage has probably already been done. Getting friends to flag your account for review actually tremendously helps, especially if you have been friends with them for a lengthy period of time.
Primarily, the bots hack accounts, and then message friends of that user's account with phishing messages too. Everyone gets caught up in trust and more people get hacked.
Usually all these bots are affiliated with CS:GO gambling and all that poxy nonsense.