No organization can work if normal communications are hijacked and spoofed by bad actors. This is a pretty severe security issue that no amount "social engineering awareness" training is going to fix. Most businesses can't operate if every decision of consequence needs a face to face meeting to verify authenticity.
There are other ways for 2-factor/3-factor verification (physical or passcode based tokens, e-mail+voice, or even a video chat).
There are other ways of safety like requiring a 2-person authorisation for large transactions - many organisations and especially charities already do that.
