Spoofing the "From" address on an email is fairly simple, but each email contains a "header" that you don't see by default. This header contains information that will allow the true "sender" to be traced. However, most email applications do not display this data by default, so unless you suspected the "From" address had been "spoofed", you probably would not bother digging this data out to see.
In MS Outlook, you can change your settings to download the full header information, and then see that header information by right clicking on an email and choosing "Message Options". Other email clients have similar features. But it's just isn't something most people, including IT professionals, do on a regular basis.
I have written lots of apps that "spoof" a "From" address, but for legitimate reasons. For instance, an automated process that sends an email when it encounters a problem might "spoof" the from address for the simple reason that an automated process does not HAVE a real email address. The "From" address does not even need to be a real address, so it's usually something that lets me know which process is sending it.
"Thing is..." it is easier to spoof an e-mail to begin with, hence barrycarter's post that they wouldn't have bothered getting/using the password when they could have just spoofed the e-mail to make it look like it came from the HR department's e-mail account.
The only advantage to actually using their account is that you can receive their e-mail as well as send in their name. If you just want to send, it is easier to just spoof and call it a day.