Fraudsters who stole $2,000 from a Vancouver man through a CRA scam were likely able to trick him using information they gleaned by hacking one of his devices, according to a security expert.

Kelly Loden told CBC last week that he was sucked in because the criminals had detailed information about his unpaid taxes and filing history.

He suspected the issue was with the software he'd used to file his taxes, but that's an unlikely explanation, according to Chester Wisniewski, a researcher with the security firm Sophos.

"The information the criminals had could really have only come from his own device," Wisniewski told CBC.

Kelly Loden describes how he was taken for $2,000 in a CRA scam

Vancouverite Kelly Loden is out $2,000 after being tricked by fraudsters posing as RCMP and CRA investigators. 3:18

"The amount of information they had is beyond what a bank would have, it's beyond what the CRA would have. The only place that all that information exists would be your own computer."

Sophisticated scam artists

Police have warned that scammers are using increasingly sophisticated schemes to trick their targets into giving up cash. In the CRA scam, victims like Loden are generally told that a warrant has been issued because of unpaid taxes, and they need to pay up if they want to avoid arrest.

According to Wisniewski, the con artists will often spend days gathering information they can use against their victims.

"They may be criminals, but they're not stupid," he said.

Chester Wisniewski is a computer security expert. (Denis Dossmann/CBC)

That could mean hacking someone's email and bank accounts using a compromised password — too often, people will use the same password for multiple online accounts. Scam artists could also find their way in through malicious software that's installed when someone clicks a link in an email.

"Because we store our entire identity on our phones and our laptops and our computers these days, once that device is compromised, it kind of unlocks everything," Wisniewski said.

Once a target is identified, the scammers will often use time-honoured pressure tactics employed by people like car salesman — perhaps creating the impression that time is quickly running out, for example.

In Loden's case, that meant threatening him with arrest if he hung up the phone.

"Even sophisticated people can be tricked when they're under some emotional stress and the criminal's done some homework," Wisniewski said.

The fraudsters will usually ask to be paid in gift cards — Loden was pressured into buying them for Apple products. This makes the money harder to trace and means they don't have to meet anyone in person.

Apple gift cards are particularly popular because of the high resale value of iPhones and other Apple gear, Wisniewski said. That means the scammers can sell the devices on Craigslist or the dark web for something close to their original value, thereby laundering the stolen funds.

Protecting your information

Wisniewski said it's crucial that people protect their information by using unique passwords for every online account. There's software that can handle that, but keeping a handwritten list is another option.

He also recommends keeping all devices up to date, installing every software update as soon as it's available.

And any time a call comes in from someone claiming to be with the government, police or a bank, Wisniewski says it's best not to agree to anything and then call back on a verified phone number.

"Because somebody calls you and has familiarity with your personal life, does not make them in a position of authority, nor someone you know," he said.

With files from Eric Rankin