[hcarvalhoalves]

Yep, always the user's fault.

Never mind that it's still easy as ever to phish by email since the protocol doesn't give any guarantees of anything, not even that the "From" field can be trusted; or that SMS sucks in a similar way; or that their PCs and Android/RIM phones still allow to install untrusted apps by default.

It's quite sophisticated indeed. The prompt to install the PC app happens when the user visits the bank's site. They manage to get the user phone number and send an SMS as if they are the bank. Everything appears legit from the user's point of view. It's shortsighted to blame it on the user.