Should the phisher get access to one of these accounts, they can buy goods, find your credit card or banking details... the result being disastrous and potentially very costly.
That means if a phisher gets your password he can use it to raid your bank account, your email, your various shopping accounts and goodness knows what else.
When we acknowledge the increased sophistication shown in the phisher's arsenal, it becomes more difficult to justify penalising employees for falling victim to their trickery.