[shyn3]

Your email did not get hacked most likely. Your client got tricked. They spoofed an email with your domain, but the reply-to email was their own (the attacker). So the client thinks they responded to you, but they responded to the fake address. Also, generally when they do this, they spoof the body and the conversation of the email.

Most likely, your client's emails were compromised in this case. Ask them to forward you the original email received as an attachment, and the reply-email as an attachment.

Your client likely has to reach out to their banking institution. Most companies have safeguards against this on their end when sending money, specifically, when accounts change they get on the phone with someone using their Vendor list, not the communication from the email. Also, having multiple parties authorize a transfer.

[gus_massa]

I agree. A few (10? 20?) years ago it was very easy to spoof email and send an email "from" mickey@disney.com if you wish. The original email specification has almost no security features. Now, most of the email servers will sign the outgoing email, and if you receive an email with the signature gmail and others big webmail providers will show a big warning.

So, to understand the problem it is very important to get a copy of all the complete emails with all the hidden headers that have the automatic signatures of the servers the email passed through. (See https://www.google.com/search?q=email+headers )

With the emails headers it is posible to see if your server was hacked or if the sender field was spoofed.

[samstave]

Or an employee of his used this information to email the client and steal the money

[shyn3]

This is not limited to an employee at OPs organization. It can be an employee from the corporation he is doing business with. Alternatively, someone could have printed an old email and one of the facilities providers (i.e. cleaning crew) found it and used it.