Rule of thumb, never ever click the link in the email.

Be sure and cautious when dealing with money online., from https to exact website address on IE or Firefox.

Whenever something abnormal than usual, like TS case need to get TAC before log in, then hold back, don't do anything.

I think the case summary would be:

TS log in phishing website, the phising website told TS to get TAC before log in, so TS applied the TAC and log into the phising website, then they have the TAC already, afterwards, TS log in with usual log in name and log in passwords.

So, they have all the details they need to do the con job, log in name, password and TAC already, which enable for them to make the fund transfer, as TAC won't be expired in 1 days or several hours time which lead to the fund transfer.

So in this case, TS won't be able to claim back money from the bank. But need to report as third party account could be useful for police to investigate this matter. But third party account generally won't be the person doing this, they (doing con-job one) probably borrow others person name to create the account only as they are not stupid to leave the trace.