It absolutely does matter that they realize a week later.
Security is like an onion - It's layered into place across different levels, and different systems.
If you just want access to a single employee's machine, for a short duration - sure this would work. If you really want to compromise the whole internal net, it's going to take longer than a few hours to work your way into other systems. Generally you either need your target to access the system you want, or you have to spread to other machines to find a machine with the access you need.
The most effective attacks are the ones that get in, and have weeks to spread through the whole internal network. Take the Target breach in 2013 - They were in the system undetected for 20 days, nearly 3 weeks.
As soon as the company knows they have a problem, any decent security team is going to check every system on record.
Maybe "doesn't matter" was too strong, but the point stands. The fact that the employee may eventually realize the folly in no way prevents damage from being done.
In the 10 days or 1 day that it takes between realizing they were phished, all sensitive information they can get access to can be stolen. Furthermore, more sophisticated phishing links can then be sent from their account. After all, who's going to suspect an actual email send by a colleague as a phishing attempt?
A holiday bonus type of phishing attack absolutely can work, and be extremely effective at credential theft. It may not be effective at literally scamming money from the employee, but who cares.
Security is like an onion - It's layered into place across different levels, and different systems.
If you just want access to a single employee's machine, for a short duration - sure this would work. If you really want to compromise the whole internal net, it's going to take longer than a few hours to work your way into other systems. Generally you either need your target to access the system you want, or you have to spread to other machines to find a machine with the access you need.
The most effective attacks are the ones that get in, and have weeks to spread through the whole internal network. Take the Target breach in 2013 - They were in the system undetected for 20 days, nearly 3 weeks.
As soon as the company knows they have a problem, any decent security team is going to check every system on record.