Indeed, it is the only correct advice.

Call the business in question at a published number. The email could be a fraud (most likely), an error (a possibility, but with a lot of downsides to ignoring), or legitimate.

I do this when I receive calls, emails, or other correspondence which appears to be legitimate. Pretty much every customer-facing business maintains its own phone database and can tell you relatively instantly whether the number you are being asked to call is legit.