Because after you signed the transaction on the offline PC and tried to broadcast it on the online you would get an error.
I don't follow you here. Why would he get an error? If he signs a malicious transaction without paying attention on his airgapped computer and moves it back the online computer, it will broadcast just fine. Cold storage only protects from this attack (and many other attacks) provided you double check the transaction on your airgapped device before signing. If you just sign things blindly and then broadcast them, then the cold storage is no better than a hot wallet.
If he loaded the phishing old version of Electrum, generated an offline transaction, then sent it over to his offline PC, signed it, back to his online computer, if he tried to broadcast the transaction he would have the fake phishing window saying to upgrade. Some people, especially since BTC almost hit $20K and some people are in a rush to sell before it drops, might click the link, download and open the executable. The fake electrum then sends the private keys to the hackers server. However since he has a cold storage setup, there is nothing to send over, maybe the master public key which doesn't really help them get anything. I don't think the fake version went thru the hassle of creating a fake looking offline transaction, hoping the user would sign it offline without noticing the different destination or change addresses. I never used the fake version but I am assuming its not this advanced. I think it went after the 99% of people who used Election online and assumed that if you are clever enough to hold your keys offline, you are clever enough not to fall for their phishing scam.
