Receipt of SMS messages from a previously unknown or unexpected long code is no different than receiving a message from a previously unknown or expected email address. At best, it may be recognized; however, at worst, it could be a phishing attack. There is no legitimacy. With SMS Short codes, you have some measure of confidence that the message is legitimate as the sender is likely recognized. In fact, if an organization is sending important, time sensitive messages such as 2FA codes, then we would recommend that the originating address of the SMS messages should be an easy-to-remember and recognize short code.