No, it's not. Phishing isn't a social problem, it's a technological problem. Whether or not you can intercept my credentials shouldn't be a question of how much I trust my IT department or how well I'm trained; the credentials simply shouldn't allow that to happen. That's the entire reason U2F was invented, and then WebAuthn and FIDO2.
If there's trust and respect, they'll reach out without fear of reprisal and inform right away when there's a problem.
If there's a culture of punishment, they'll fear the IT gestapo and try to cover up mistakes that could cost them their job.
It really is that simple.