The (dumbass) finance department in my last company was phished out of about $50k. They received an email "from another company", that we happened to do business with, that was asking to update the account information. The FD didn't do any verification cause it was over a weekend and it was 'urgent'. Basically ignored all the classic signals.
The bank refused to return the funds. The concept that just because it is a bank and it must be irreversible, is totally wrong. Another very good example of this is the whole corrupt Zelle service.
interested to hear more about zelle
IIRC zelle is designed to be reversible for the banks but not the customers, it is the worst of both worlds.
Zelle is effectively DNS for your ACH bank account and the address is your email or phone number. It is notoriously used by scammers because they know that it isn't reversible.
Just google "zelle fraud" and go down the rabbit hole...