Agreed.
This is key.
"They go into the law firm that's sending you an email, take over the email, and they send the bank a note saying 'please send the money here,'"
And the point is, after receiving an email they do actually send the money there!
I worked at 3 major banks in London. 80% was automated, and 20% we via paper and emails and phone calls. All of that was considered "risk", I.e. No attempt at security auth or validation. Just put it as risk and write it off if it was fraud.
I would guess Jp has 60000 wide boy brogrammers as staff. Never seen worse code than in banks. High staff turnover. It's all about the money, naturally. No-one in the building has any high-level goals like clean code or solid architecture. It's just hack for money. Security is an afterthought at best. At worst it's just a building full of disconnected workers getting paid top dollar to handle shit code without any input to the code.
I also know people are that hack banks. It's I high risk game in the long run, but easy money in the short run.
I knew people that can open a bank account, put 5 grand credit in it, and have a card sent where ever with what ever name you wanted. That's high street banks who seem to be just as bad.
I am pretty sure it's an induswide problem.