Re: But isn't this what (real) criminals would do?
If your CEO's password to the web mail portal is "number1ceo" then it's perfectly possible for e-mail from her actual account to be spam or spearphishing.
My work e-mail is text only - my choice - and I mousepoint at any URL in it to be shown where it really goes. But that can be disguised, too - funny character sets and do forth. So mainly I let someone else try first...