When a user gets hacked or compromised as a result of a phishing scheme, the people involved will use the users contacts list to send out emails in hopes of getting more users to give up their usernames and passwords.
This scam is particularly effective since you get an email from someone you know and trust, so your guard is down. The idea is to lull you into a false sense of security that the content of the email is safe since it got sent from someone you know and you recognize both the name and email address.
Once you click the links and enter your password you then turn your account over to the hackers who in turn send emails from your address to your contacts in an attempt to get even more users to give up their passwords.
I created this quick tutorial for my colleagues to help them recognize and identify emails sent from compromised accounts:
We will never be immune from phishing scams and spam, and everyone will be compromised at one point or another (through their actions of those of others) but as GI Joe always said, knowing is half the battle...