All that is required is that they phish in real-time or automate the attack. These attacks are not uncommon in the wild. MITM’ing three fields in a login page is not much harder than writing two fields to a DB. And it’s basically trivial to do it over the phone.