So even if the phishing attack was successful, it would not be possible for the attacker to login without this word pairing.

Maybe google authentication should be activated as this is what safe my friend’s account from been hacked in January this year. These hackers can go to any lengths in stilling people funds from exchange, casinos and gambling sites and wallets providers sites and applications. The owners of the casino websites can do a little if the players and investors themselves are not playing safe.
Okay lets say these gambling sites do have these 2fa things but most gamblers doesnt really care on activating it (this is a common behavior).
They would only set it up after such scam incident.They should done it on the first place to secure their accounts and i agree on what Kakmakr said or suggestion on having that 5 word but somehow if this codes being inputted up on a phishing site the account would be still accessed.