Answer:
If your customer did the transfer, they are liable under the current rules. The
bad guy persuaded them to send them money, perhaps to “reverse” a fictitious transfer
whereby the bad guy actually gets the money, that’s a deniable claim.
If the bad guy gets your customers logon credentials and makes the transfers, that’s a
valid claim. The customer did not do the transfer and did not authorize it.