The receiving instutition(s) could safely assume that the message is actually from Bangladesh Bank and whoever was sending them has the authority to act on their behalf even if it was not true. If Bangladesh Bank allowed hackers to send messages in their name, they are still fully responsible for their content, the recipient does not have necessarily to verify anything (for a counterexample, consider the legal risks involved with not verifying who has the authority to sign for a large international contract) unless a specific bilateral contract specifies that - like in the Bangladesh 80M case, there's no blame or risk placed on the message recipient/executor (Federal Reserve Bank of New York), they had the rights to assume that the orders were from Bangladesh bank, and all the losses from that case were solely on the Bangladesh bank. In all the major cases there have been lawsuits or threats of them - because why not try - but the general precedent is that those lawsuits fail and the recipient is reasonably safe to make that assumption.

In a similar manner, if the SWIFT infrastructure itself was hacked and fraudulent messages inserted (this has not ever happened AFAIK), you still can assume that the messages are valid, and that in that case the liability (insured!) for any losses would be on SWIFT.