While I cannot say that it is a common occurrence, I wanted to write this to let our viewers know of it's existence, how it happens and how to reduce the possibility.
My opinion is that the customers email is compromised, and the third party reads the emails looking for opportunities to inject themselves.
The third party may delete valid emails, then send an altered message from an email that looks like the party they are corresponding with. They have control over the contacts, and can make an address appear as a contact, and even change contact details to suit their needs, such as a name, email or phone number.
In the couple cases we have seen, the third party intercepts an invoice and puts their own bank information in place of the correct information.
Payment is made to the wrong account. It is near impossible to reverse this transaction once started.
How to look at emails when received.
Check the actual address from where the email is from, not just the name on the email. Here is a blog of what to look for:
Want to know how to trace where an email came from? It is contained in the message header.
Trace an email with its full headers
Helpful to know where the attack appears to be originating.
How to Trace an Email in Microsoft Outlook
What is a spoofed email address?
It is an address that looks like a correct address, but when you reply it goes to a different address.