Email means I got access to your device or something you’ve configured to be able to send email, which is probably a lot of servers unless you have an entire domain dedicated to financial messages everyone knows not to trust any other domains.

A message signature means I got you to do something like tap a Yubikey and enter a PIN, touch a fingerprint sensor, etc. That can still be socially engineered, of course, but it can’t happen by accident and you could add some safeguards against routine by having a dedicated “major transactions” key used only for that purpose to add a physical speed bump.

The problem is that “ignore my gmail, I list my phone” will defeat that training more often than we’d like, so you really need to have process safeguards which make it a requirement and management backing to say even the CEO will follow the lost device process rather than asking someone to bypass process, and that has to be so carefully enshrined that nobody questions whether their job is on the line if they tell the real CFO that they can’t bypass the process.