I think the problem here is everyone is trying to plug the leaks in the bath after the bomb has gone off. SMS tokens are additional layers of security and shouldn't be seen as the primary. The issue is that the primary authentication method (password) has been compromised.
The real issue is the phishing emails that are being sent and users not realising. This is in part the user's fault, but we also need to look at email as a whole. The problem is that SMTP allows you to make emails look like they are from a legitimate sender even when it's actually be sent by some zombie server connected to the internet. Email authentication (where the sender is verified) has been around for some time now and would prevent the vast majority of phishing attacks and spam, yet most mail servers do not implement it. Some legitimate emails would be flagged as spam due to practices used by companies, but it wouldn't take long to flag this with the senders and have them correct their automatic mailers.
Some details on Email authentication:
https://en.wikipedia.org/wiki/Email_authentication