In the US, EFTs initiated as a result of an account takeover are explicitly covered under Regulation E. The CFPB has published guidance and made it very clear these types of transactions are covered.

"4. Does an EFT initiated by a fraudster using stolen credentials meet the Regulation E definition of an unauthorized EFT?

Yes. As discussed in Electronic Fund Transfers Error Resolution: Unauthorized EFT Question 1, Regulation E defines an unauthorized EFT as a transfer from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit. 12 CFR 1005.2(m)."

OP is in Austrailia so this is moot; however, if your experience in the financial industry is in the states, you are confidently incorrect.

However, other scams not involving an account takeover may not fall under the purview of Reg E, such as buying a gift card for the scammer; or, p2p transaction, which the CFPB will likely push consumer friendly guidance for in the next few years.

Source: I'm a certified regulatory compliance manager with 15 years banking experience.