Phishing doesn't have to be a literal scam. The more insidious kind that companies are actually wary of are the ones intended to steal credentials and get into internal systems.
Phishers can easily get what internal company emails look like. Send an email that looks like "Hey, we're giving you a $900 bonus. Make sure to fill out these forms on workday", with a link that is a Phishing website that looks exactly like workday.
Fill in your credentials - hey, also need your 2factor code - and bam, hackers have an in to the system. It doesn't matter that the employee realizes 10 days later they were phished.
It absolutely does matter that they realize a week later.
Security is like an onion - It's layered into place across different levels, and different systems.
If you just want access to a single employee's machine, for a short duration - sure this would work. If you really want to compromise the whole internal net, it's going to take longer than a few hours to work your way into other systems. Generally you either need your target to access the system you want, or you have to spread to other machines to find a machine with the access you need.
The most effective attacks are the ones that get in, and have weeks to spread through the whole internal network. Take the Target breach in 2013 - They were in the system undetected for 20 days, nearly 3 weeks.
As soon as the company knows they have a problem, any decent security team is going to check every system on record.
Maybe "doesn't matter" was too strong, but the point stands. The fact that the employee may eventually realize the folly in no way prevents damage from being done.
In the 10 days or 1 day that it takes between realizing they were phished, all sensitive information they can get access to can be stolen. Furthermore, more sophisticated phishing links can then be sent from their account. After all, who's going to suspect an actual email send by a colleague as a phishing attempt?
A holiday bonus type of phishing attack absolutely can work, and be extremely effective at credential theft. It may not be effective at literally scamming money from the employee, but who cares.
Phishers can easily get what internal company emails look like. Send an email that looks like "Hey, we're giving you a $900 bonus. Make sure to fill out these forms on workday", with a link that is a Phishing website that looks exactly like workday.
Fill in your credentials - hey, also need your 2factor code - and bam, hackers have an in to the system. It doesn't matter that the employee realizes 10 days later they were phished.