Absolutely it could. However, with a secured portal - the client would know to go there, rather than email for many interactions already. Once DKIM,SPF,DMARC are on - the spoofed email is harder to do. In this particular case, I'd suggest giving them a file of contact information, and not ever publishing it (email, etc). Also, in my view, it is much easier to spoof emails, than to attack a proper web app.