Yeah. If you had physical access to the computer you might be able to install a key logger, or disguise one, but phishing is the only easy/logical way...