A phishing campaign aimed at verification codes and account PINs shows how secure messaging can still be undermined at the account boundary.