If someone guesses the 2 numeric digits necessary to gain telephone access to my pension fund, and they then transfer out the $10M value to the cayman islands, will they really give me back the money? Would I have any chance in court? - proving it wasn't me is near impossible.
Yet this pension company has millions of customers, and presumably isn't seeing widespread fraud. How come?
Because you're evaluating the effectiveness of one control in isolation, whereas the pension fund has a lot of controls, including e.g. an operational team which knows that wiring money to the Caymans is intrinsically high risk, a written procedure that they'll follow for high risk transfers specifically to papertrail up evidence in the event it is contested, a legal environment which will put the burden of proof on them rather than you if they did something that self-evidently stupid, the medallion guarantee program and associated regulation, etc etc.
Fraud happens. Financial institutions spend a lot of money defanging it; they also, when push comes to shove, have budgets for it.
For the really large banks: $XYYMM (i.e. hundreds of million dollars aka the cost of doing business) across all lines of business.
All this is mostly public info as it has to go into financials, you can find it under "Operational Losses" for any public bank (Note that "Operational Losses" are not the same as "Operating Losses").
A sample multi-year summary can be found here from an industry body in Europe for losses for debit. (losses are demonimated in Euro):look at page 7 under the last column for the rows "Retail Banking". Important to note that credit ops losses are an order (or maybe two) of maginitude higher.
Yet this pension company has millions of customers, and presumably isn't seeing widespread fraud. How come?