Ok, so hopefully here is a summary of the responses. * Don't rely on virus scan - just because it says system is clean doesn't mean it is clean. * Use a clean OS install on computer. * Ensure OS has all security updates installed. * Don't use Outlook, however if Outlook must be used, ensure it is using TLS for SMTP and POP. Seems obvious: check the servers are the correct servers. * I think the problems with Outlook: could have security vulnerabilities, and stores credentials locally. * If continue to using Bigpond: * Ensure email is not forwarded to malicious address. * probably should change his email password from the clean OS install, and never use it any other system. * Use an email provider that can help debug these issues. I had at least one person volunteering for such a service via private email. * OR: Use an email provider like gmail that is accessible using HTTPS (plus gmail has good 2nd factor authentication) * Report to ACORN police department. * Person must change his habits. "He _must_ acknowledge that security is a process, not a product, and that his behaviours and understanding are crucial. If he will not change, he will not have the monies from the invoices he sends out. That might seem harsh, but it is also living inn the real world." Knowing the person in question - and also considering the many months this has been happening, that is probably a fair assessment. Not sure how to guide him on doing so however. * Use S/MIME??? Probably not possible with webmail cloud provider like gmail. There were some other responses I don't consider so likely: * Check WIFI security. * Check router not compromised. sidenote 1: I think this computer will be dedicated to work, and not used for playing games, surfing porn, or other dodgy stuff; person suspects it is a virus distributed via PDF file, which I can't comment on; suspect Outlook might be most vulnerable here. sidenote 2: If local computer is compromised, attacker could access invoices before they are even emailed. One thing nobody mentioned, mobile phones, including any lost or missing phones. Suspect not an issue here, however that is an assumption on my part. Should check. Was there anything I missed?