Don't know the details here, but email is still very much broken, and a number of large companies, including in the financial sector, are spoofable even after checking the usual boxes.[0]

[0]: https://news.ycombinator.com/item?id=37438478

Perhaps I'm reading too much between the lines, but this part makes it look like he got suspicious and checked for clues. It would have been pretty bad if the email was actually marked as internal.

Sam deal for the call as well. I'd expect the video client to warn that some members of the call are external to the organization (Google Meet does that). Or the CFO is expected to be outside (from another org) from the get go.

> Initially, the worker suspected it was a phishing email, as it talked of the need for a secret transaction to be carried out.

You can't rely on email.

That's how I almost lost £100k. I got an email from my lawyer instructing me to pay an amount that I was expecting to have to pay, but to the wrong account. The email "from:" was definitely my lawyser's email address. It satisfied Gmail's spoofing checks. But it was not my lawyer who sent it.