Interesting and out of mind!
The smart contract token implementation should not make this scenario possible, it is faulty at its finest. Logically, on the first hand, a system should not allow any transactions that is solely based on balance checking as mentioned on the StackExchange:
if balance - amountToTransfer is not negative then allow it and 0 - 0 is not negative
This means
Account A can send 0 tokens to account B. even if account A has 0 tokens
Account C can send 0 tokens from any Account to any other Account even without approval.
I wonder whether it is the norm to use the last withdrawal transaction address from your wallet. Because beforehand, I could not think of any users who do that. Nevertheless, alas! you are the one who gets scammed because of this faulty mechanism.