Yes, we now think he was most probably 'phished', but he's not sure how - he gets the standard phishing emails, but all he can remember are the usual ones that ask for the whole password, and nothing that looked similar to the real log-on process. Some kind of redirection to a fake webpage could be possible (DNS poisoning?) but that would only capture elements of the password. He doesn't remember a string of logon failures that could let them capture lots of characters. It's an odd one.

A more worrying possibility is that it was an inside job. It's impossible to know what goes on internally, but it was suggested as realistic by somebody who should know (he was lead architect for their original pre-RBS online banking system, so he knows internet banking very, very well).

Anyway, it's now in the hands of the police, who seem unusually interested ... so there may be more going on than we know But it has rather shaken my confidence in online banking - if it could happen to him, it could happen to me...!

stickyb - sorry for the full inbox message you got, i've been away for a few days and missed it.