It does not take much, for sure in the US, to get phone, address, brute force a password is easy (hence 2fa)
Also, there was a 0-day vulnerability just last week about having a reset link sent to a different mail
But if you have more than my 25+ years experience in IT, I will definitely shut up
I was one with one foot in Europe and on in America!
Was fantastic!!!
If she could not log in her account, she could not see that mail, and she never said that she is having her account locked
Some years ago these were nicknamed bulgarian spam... play on the fear to get some bugs
To be said, it is good to have complex password, and a keepass to store them
The article is a little "light" but it is definitely believable
Seems more phishing actually
The fact that is a new e-mail means nothing, it may not be you have a virus, but somebody you wrote to
Probably a good idea would be to check with a good technician, but only after a second ot a 3rd request
And of course do not answer that mail (and move to linux :P )