Anyone who follows US political news may have seen the report in the New York Times article on the email hacks:
A phishing email that originated from a hacking group landed in a mailbox. The message was forwarded to a computer technician to make sure it was legitimate before anyone clicked on the ‘change password’ button. The technician mistyped "illegitimate" as "legitimate" and someone clicked on the link (believing it was a valid message) and changed the password, which gave the hacker access to the mailbox.
While the technician's error is a big one, the fault lies with the people who clicked the link. Had they opened a browser, typed "gmail.com" in the address bar, went into Settings and changed the password, the technician's typo wouldn't have mattered. Yes, it's extra steps, but it is the safest way to avoid accidently giving up your password to the bad guys. When you do this, it doesn't matter if the message is legitimate - the password is secure.
If you don't want to change your password needlessly, check the From address and the URL the link points to. Some, but not all, phishing emails will not be sent from the expected address: if the From email address (not the display name) is not from the correct domain, the message is not legitimate.
The original message looks like it could be legit but hovering the mouse over the hyperlink may display the URL in a screentip. Do not trust short links!
If the screentip url is long or questionable, you should view a plain text version of the message or the message source so you can see the URL better. Dragging the message to the Junk Email folder to convert it to plain text is the easiest way to do this.
After moving it to Junk Email, we can see many of the URLs are not pointing to the expected server (Apple, in this example). Note that some spammers will link to the correct site in the message header or footer to confuse you. Look at all of the URLs! If the links use a short link service, DO NOT click it. Open a browser and browse to the site using your own links.
If the domain before the first single backslash is not the expected domain, it's almost certainly not legit and should be deleted. If you aren't sure (or just want to change your password anyway), don't click the link! Open a web browser, log into your account and then change the password.
If the URL is hyperlinked in the message (instead of a pretty hyperlink), and looks to be legitimate, don't click the link. The underlying URL could be different. If you are 100% sure the visible URL is valid, select it, copy and paste into the address bar if you don't want to retype it.