Why wouldn't it?
If you ultimately trusted a colleague that was phished into trusting the attacker, then you would trust the attacker to be who he claims to be.
They would need less believable stories and to impersonate interns, subcontractors, etc.
The pattern in the attacks could be extremely brazen, like impersonation of the editor themself or a higher position colleague to resist social checks.
Pretty strange for a long term editor to have few paths to themselves within their own publisher. (Since each attempt to gain a new connection in the publisher risks someone noticing the email address is a fraud of their own company and cause revocations.)
If the attack is 100 or 1000 times less effective it is probably written off as a complete waste of resources.