The entire website can be cloned (or just that one page).
But they'll just ask you to enter your existing password, before changing it.
Many people would fall for it. They see the green lock, the https://secure.Backblaze.com or whatever. And then what?
Sites can mitigate this by sending a "magic link" to your email to authorize any important actions, like a password change. That way they won't be able to make use of "what you know", without also getting into your email ("what you have").
But instead, many sites ask you to confirm it on your authenticator app by entering a number on the site. The problem with this is that the attacker can just proxy this while having you on the line with some real-time some social engineering and enter the number themselves.
How much protection is there, really, against this? I ended up copying the link, deleting the domain and typing it myself just in case.