The Norton chap is probably correct. And he will have more experience than any of us posting here
Your e-mail password is held unencrypted in the web browser cache, and extracting it is dead easy. When you clicked on the link it was mailed to whoever is behind the scam
Change your password, and also change your password reset questions


if you want an example of how easy mail passwords are to extract, download and run Mailpassview from Mail PassView: Password recovery for Outlook, Outlook Express, Thunderbird, Windows Mail, and more...
Thats a legit program - but the underlying technique is the same