I don't understand how something like this is even possible if the user's password is not compromised.
If the scammer would change the password, he gets caught quickly. By not changing the password, the scammer can stay under the radar and impersonate the real account owner.