I find it very difficult to believe that anyone in such a position would fall for a phishing email.
But then I've seen some pretty smart people do some really stupid things...
I manage my husband’s HVAC biz. I used to work in IT. I get phished every day in my office 365 outlook email associated with the website’s domain. I just keep reporting it as phishing.