Easy solution: Don't use SMS for password recovery.
SMS might even be okay for 2FA, but it must always be the second factor. "Forgot my password" -> SMS code -> new password is just 1FA. Using SMS as the only factor is really, really bad.
Then don't use insecure services. I think in the EU sms only password reset indirectly violates data privacy laws (not securing private data with industry standards).
You should stop using passwords altogether then and move to passkeys. Passwords are on a hot deprecation path.
Hell soon with biometrics and public key crypto you’ll be able to attest that your physically sitting in front of a computer and have an ID issued by a state that matches.
SMS might even be okay for 2FA, but it must always be the second factor. "Forgot my password" -> SMS code -> new password is just 1FA. Using SMS as the only factor is really, really bad.