That's why firms should use email signatures for any email that is supposed to be assumed to be authentic. In other words: The boss should have to sign this kind of email with his private key. The public key distribution problem is solved rather easily in firms (i.e. this is job of the local admin) opposed to the open internet.

So not using well-known best pratices (email signatures created with private key) is simply stupidity and these firms get what they deserve.