It’s done via the phone that you have registered to your Apple ID > Settings > Apple ID > Password & Security > Change password > Enter iPhone passcode > Enter new password > Confirm new password
You don’t need your current password if you are using your registered phone, whether it uses your phone number or some other method to identify you I’m not sure?
I called Apple to confirm if the email was a fake or not, initially I presumed the first email was a very good fake. It was only when I was messing about with my Sonos system when and I needed to authorise access to my Apple Music and was repeatedly told my Apple ID password was wrong before I realised the email must have been genuine.
It was also confirmed over the phone by Apple that no purchases or subscriptions had been made via my account.