The bank in question is SANTANDER (no point in hiding it!). Most brazilian users ALREADY know they should NEVER use more than a single on code from the token card. And, if the associated PIN is incorrect, the bank's systems always request the SAME code.
The banks (Santander, Bradesco, Banco do Brasil and Itaú from my personal experience) all repeatedly warn users to never click links in SMSs, emails, and to always initiate transactions from the bank's website.
Unfortunately, "most users" do not equal to "all users" so there's always someone ready to fall for this scam.
About the CPF format, it is made from 9 digits, plus two checking digits, calculated from the previous ones. The formula is very simple (you could calculate them by hand if you wished to), but again, simply filling in the punctuation for a random number would not work unless by pure luck (1% chance).
About the "token card", if the user keeps it secret, and doesn't do stupid things like taking a freaking photo of the card and sending it to complete strangers, it is a surprisingly rugged, low cost and efficient solution. For customers with higher balances/incomes/investments, most banks operating in Brazil (Santander included) will "upgrade" you to a electronic token, or at least a smartphone token. For a small monthly fee, of course.
Finally, I already lost count of the times similar scam came and went. In the past, they were very easy to spot as scams because of glaring typos, grammar errors, bad imagery, etc. but lately they became much harder to spot.
Facebook
Twitter
Instagram