It's a problem but so far not the cause of getting hacked. Let's try to avoid another discussion about the NSA, USA and most other countries about email and in general communication intercepts.
That out of the way I have to advise not to track where the PHISHING EMAILS come from. It is best to do what you did with password changes and locking down and do not track that email since doing so can have you possibly opening up the bad email or going to shady web sites.
You did fine. Now you need to delete these emails and move on.
I have a hover webmail account. In the last couple of days when i email a customer a payment request they receive and email that looks like it's from my email address giving them a new bank account to send payment to, not mine!!
This is 'in thread' of the email conversation.
When this first happened I scanned the computer with AVG and malware bytes both came back clean.
I have changed all passwords and started using a password manager, LastPass.
Even after these changes, it is still happening. When I changed passwords I was notified of some login attempts originating in Nigeria. So I rescanned computer changed all passwords again.
I can not find a trace of the bogus emails in my email account sent items.
How are my emails being intercepted?