I am a technician at Apple and my advice is this, it may sound super obvious, but unfortunately to many people it is not:
ALWAYS click on the name (in this case ‘Apple’) if it’s an email to reveal the actual address it came from. To my knowledge, that’s not something that can be faked. Anything that is not from “@apple.com” and only that, is not from Apple.
It’s often shocking how absolutely ridiculous the email address will be if only you look at it. If it is not from Apple, you’ll know. And if it’s not, don’t ever click on anything in the email (I cannot speak for SMS messages, but the logic holds.)
You can and should also forward any suspicious email you get involving your Apple account in any way to email@example.com. They collect these and actively work toward helping block them.