"They certainly look authentic and I can see why so many people get conned by them."
That's the whole point - a con has to seem authentic if it is to succeed. We all know what we have ordered or bought on line, and if an email refers to a transaction that we haven't initiated it is pretty well safe to ignore it completely.
Likewise, when something refers to a password change it's not going to be genuine unless you have changed your password recently - you'll almost always get a confirmation email a short while afterwards when you do that.
I think this may just be a mistake. I understand that such emails are sent automatically but glitches are everywhere. I think you should not pay attention to this letter if you are not connected with Apple.