A good section of non-technical people would fall for the same thing if presented from any random website in Safari (especially with iOS's predilection towards random password popups from background processes...). Not trying to downplay the issue, just provide some perspective.

One big difference is that by tying it to the email client, you're already showing the targets email address pre-filled, just like the legit prompt would. Plus, you can specifically target an individual and show the prompt without needing to convince them to visit a webpage first.