"(...) many companies (not only financial institutions) are using SMS as a second authentication vector, so having both the online username and password is not enough in the identity theft process. There are some social engineering techniques in the wild that try to handle this issue by luring the user; the user thinks that is doing a specific operation, but in fact he is doing other forged one (man-in-the-browser, JabberZeus, etc.)
Os posts:
http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html
http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-ii.html
http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-iii.html