This is very common issue; I've personally helped a company after they lost much more than this, and had to help prove to insurance/govt agencies/etc. Turn on DKIM, DMARC, and SPF records for your mail domain. Also, never send invoices over email that contain any payment terms (eg: accounts, addresses to mail check to, etc) they should always be in some sort of protected portal. Tell every customer never to accept payment term details from you over email, phone, etc. If you or your client has insurance, start documenting every part of your case with screenshots into a file, and document everything you know NOW, including timestamps, etc.
EDIT: Also, I'd suggest taking orders via a secured portal, and also autheticating large orders by calling a number for a client you already have (never trust their website, or an email from them). Unfortunately, you're out of luck that money.
They need to file a police report, and get in touch with their bank. It's likely the money has already been transferred to a different bank, but the corresponding bank might still be able to freeze the account if it is still sitting there.
Then again, it might be transferred again as well. Money is hard to trace if it moves through different jurisdictions, as every country has different banking and privacy laws. Your client might very well hit a dead end for such a (in the grand scheme of things) small amount of money.
Highly unlikely - but also, a side fact to keep it from happening again. The attack similar to this I had to help address, someone had sent an email to a client, over an Indian shared office space network. That network was found compromised, and man-in-the-middled. Suggest doing business communications like email over VPN (F-secure VPN or simlar) only.
Absolutely it could. However, with a secured portal - the client would know to go there, rather than email for many interactions already. Once DKIM,SPF,DMARC are on - the spoofed email is harder to do. In this particular case, I'd suggest giving them a file of contact information, and not ever publishing it (email, etc). Also, in my view, it is much easier to spoof emails, than to attack a proper web app.
EDIT: Also, I'd suggest taking orders via a secured portal, and also autheticating large orders by calling a number for a client you already have (never trust their website, or an email from them). Unfortunately, you're out of luck that money.