2 ways that I can think of from the top of my head:

– Like someone else already mentioned, the link could have lead to a website that LOOKED like that of the bank but in reality was a different one that was controlled by the attacker (ex: https://mybank.com vs http://mydank.com). From there she would have ‘logged in’ to the attackers website but in reality that wouldn’t have done anything. The attackers would have stolen the credentials that she used to ‘log in’ and then used them to transfer money to an account they owned/controlled.

– If the bank that your friend is with had a what’s called a Cross Site Request Forgery (CSRF) vulnerability AND she was logged in to the bank on one of the tabs then the attackers could have transferred money to their account by simply her clicking the link in the text message.
This vulnerability works like this: In normal circumstances, when you send money from account A to account B, that’s done through a request from you to the bank that says “Send $100 from me to B”. The request is valid because YOU are logged in on your banking app so the bank knows that it is actually you (since you had to go through the login process) that’s is transferring the money. The link your friend clicked could have generated a request that said “Send $100 from me to Z”. IF your friend was already logged in to her bank (assuming the bank was vulnerable to this type of attack), the request would be accepted as valid since technically it was sent from your friends device on which she would have already been logged in on. Again, for this scenario the bank would have needed to be vulnerable to this AND your friend would have needed to be already logged in to the bank on a different tab.

(Pardon the spelling, typed out on mobile)