Don’t approve any password-reset prompts—those are the first part of the attack. Do not pass Go, just head directly to your Apple ID settings.

Why do I need to go to Settings? I get these occasionally and ignore them; what harm is there in that?

FWIW these were real bad for a while, but Apple seems to have gotten better at canning the spam. Maybe 1-2 per year?