Let's run through this.
First they identify a target, this wasn't a random phishing attack, it was targeted. A small town with aging staff that has a project that uses electronic transfers for payment. All this information is public.
Phony up some business documents, or get creative and incorporate in Delaware online using phony corp officers. It's all done online, not much verification involved.
Go to a bank with your phony or real corp documents and a fake tax ID number, or get a real tax ID number for the corp (again online and easy), set up an account. Banks don't really give a shit, they will look at the business information and open the account.
Now you have 2 choices. Either buy a domain that is similar to the one the construction company uses, maybe replace an L in the name with an i so when you setup your email from address you use an uppercase i and it looks like a lowercase L (just one example), but the computer knows what it really is so any reply will go to your email. Or hack into any email account of the construction company, people are idiots, this is not that difficult.
Now send an email to the towns AP person saying your bank information has changed.
Now wait for the money to come in. When it does, immediately buy crypto, run it through the least secure exchanges you can find, moving in and out of the most garbage crypto, after all so what if you lose a few hundred thousand.
Eventually cash out in some country with lax backing regs and poor law enforcement.
Fini