Phishing email

Yes, that’s a scam. For added effect, some of those scam messages will include an old password of yours, acquired by the scammers from some server breach.

Shut off remote image loads in mail, though. Those can be used to track your access.

More info > Recognize and avoid phishing messages, phony support calls, and other scams - Apple Support

woody2k4 wrote:

If I shut off remote image loads would this affect anything else?

It’ll mean that all arriving mail messages with remote images (usually only advertising email you’ve subscribed to, as few other sources will use remote images, approximately no private mail from humans uses remote images) will also not show remote images, but you can selectively enable those remote image loads in individual arriving messages, if you’re interested in seeing those images. There’ll be a (paraphrasing) “message contains remote images, do you want to load them?” query shown with the remote-images-unloaded message. Most “legitimate “ advertising has more than enough text and has alt tag labels on images that I don’t even bother loading remote images for those.

Basically, remote images are used for tracking. Either by entities you’re affiliated with, or by spammers. They’ll get he time of open, and the IP address that performed the open, and whatever parameters were in the open request which can be enough to tie the open to a specific receiver.

WWDC 2021 had some good security enhancements in this area for upcoming software releases, masking the reader’s IP address. Message-specific parameters will likely still be available to the sender, however.

It is a scam. I've received something similar and have seen many other reports. Delete it, ignore it, and forget it.