your customer contacts your bank to say they let someone log in to their computer - a "Microsoft tech" person they say and then their online banking was accessed. customer unplugs from wall and calls.
do you file a SAR?

your customer contacts your bank to say they let someone log in to their computer - a "Microsoft tech" person they say and then their online banking was accessed. the customer sees the "tech support" person move money from customer savings to checking. customer unplugs from wall and calls. do you file a SAR?

See question #17: https://www.fincen.gov/frequently-asked-questions-regarding-fincen-suspicious-activity-report-sar

FAQ #17 - got it

ok, so a customer reports they allowed someone they thought was a support tech person onto their computer, they then gain access to the online banking, and move money from one internal account to another - obvious intention is to remove, steal, procure or otherwise affect funds of the targeted customer. should we file a SAR regardless of if we know the amount of money moved? If we mark box 38a "ACCOUNT TAKEOVER" does that automatically mean we are completing 42b? As far as #43 and #44 what would should be considered here?
just looking for a clearer understanding of when a FI would file a SAR in regards to these types of suspicious activity. I am also reaching out to auditors and examiners with the same.

We will often include 43 IP Address when a consumer has experienced the type of situation you describe as well as when our member hands over access for mobile deposit as the information may be useful for law enforcement to track down those involved. We don't view those events as cyber events with regard to 42 and 44 as the member is actually providing the access to their account and credentials.