The fraudster will create a fake login page and send a real two-step authentication request to Google's real server, even if the login page is completely fake. The victim will still receive the message as usual and use it to enter the fake login page. Meanwhile, the fraudster will have access to the victim's Gmail account.
So the fish caught the bait.