This is an easy one. I believe Tom didn't do a research of a website he found on Google and ended up on a fake Electrum website where he downloaded a hacked version of the Electrum software wallet. The moment he got the coins from the exchange, the wallet made a new transaction and sent the funds to the thieves.

How was he supposed to act? Perform a thorough evaluation of the website from which you will be downloading the new software. Learn how to recognize a fake website and never download Electrum from another source than electrum.org. When it comes to software wallets, it's also a good idea to learn how to check GPG signatures.