I also got a very threatening email purporting to have access to my gmail etc. I didn't wait around for confirmation. My instant response: got a new sim for its mobile number, set up 2fa on that for gmail. Put new sim in an old phone. Also changed password etc.
I advise anyone with a gmail etc still using sms/text for 2fa to at least set it up so the mobile number used is not one that has ever appeared in your contacts list. Or that you've ever given out to a random website, eg facebook/linkedin. Linkedin has repeatedly lost control[2] over their database in terms of email/phone number.
I kept my main number just for contact as before but I dont use it for 2fa. Also, plenty of other 2fa options exist so use them. Authenticator app is a thing too. Now I have two phones with that app. Very handy.
My new "authentication" phone is a prepaid thing with 365 say expiry and $5 credit. I never make or receive calls on it. Its not on my contact list.
I'll leave out the benefits of having your own domain because this comment is long enough. Only that it makes spam origin detection so much easier. Not to mention filtering.
[1] why gmail can't filter by sender hostname/ip is beyond me. I'd also like to tag emails from unsecured transports. My current solution is reporting spam via gmail and also I'm in the process of extracting out a automated list of AWS hosts that are sending spam so I could report them to AWS.
[2] which is why my very old mobile number that was fresh at the time is now "out there" against my email address. The source was hopefully just linkedin scraping. I know it was only linkedin because that phone was unfortunately destroyed about a week later.
Best theory we have is they want to identify users who click on anything to send them a real scam later.
Very annoying.