It might be hard to believe, but it is the reality. In the corporate space where I reside, we don’t have fake phishing attempts just to teach people - it is because corporate phishing attempts are a massive problem. They range from just wanting your banking details, like a fake retirement account action required email thing that went around where I was ages ago and got several employees, to infiltrating systems for cyberattacks. A bunch of data breaches happen because of these phishing attempts.
The more mundane or believable the email, the better (mostly - intentional spelling mistakes can exist to eliminate people who wouldn’t fall for them). With the claims of previous Tipalti data breaches (never confirmed or proved, by the way), a disclosure email with claimed passing of time and a claimed legal reliability to disclose this with an unformatted email looks believable. I would have looked at it, sighed, went to Tipalti to reset my password without the provided link, and deleted the email thinking nothing of it.
