Not that dumb, actually:
Before even considering their cell phones, victims' computers are infected (by way of a drive-by exploit kit, e.g. Blackhole) with a variant of the ZeuS trojan. Upon their next log in at their e-banking site, ZeuS injects HTML and JavaScript into their browser. In this case, it'll inject a prompt for the victim's phone number and operating system. Since that prompt is shown within the (trusted) e-banking application, green address bar and all, it may look somewhat legitimate.
Only after entering their cell details, users will get an SMS directing them to a ZeuS mobile package. That text was solicited (seconds before, by the user themselves), though, and the banking app actually prompts for a confirmation code that'll only be displayed if the user installs said app.
All in all some naiveté is required, but to me, the whole setup is insidious and intricate enough not to ring any alarm bells in your average user.