The OTP codes are going to be useless to combat scammers.
The current phishing scam is asking people to sign in with their user name and
password. Once those are entered, on the next page they are asking for the OTP
code that bricklink has sent.
No doubt they are automating logins so the user enters their username and password
on the fake site and then the scammers attempt a login at the real bricklink,
generating the real OTP email and the user then enters this on the fake site.
The scammer then has the username, password and real (and unused) OTP code which
they can use on the real bricklink.