2fa is not difficult! On my personal bank account, if I want to send money to a new payee I haven't paid before, I have to produce an authorisation code from the 2fa gadget.
If I can do this for 10 quid, why can't large organisations do it for 10 million? If the CEO sends an email saying to pay a new account, that should be authorised with a one time code.