This is a common occurrence due to e-mail address confusion.
I get dozens to hundreds of e-mails from legitimate companies (car dealers, LA dept of water and power, Macys.com, cell phone activation notes, the payroll company ADP, and Nationwide insurance) from people with my first name and an initial matching my last name.
The companies could solve it AND improve security with a "double-opt-in" step of requiring you to confirm an e-mail address before it's used.
The worse was in early 2019, when I received medical records (Lab results in a .PDF file) - a clear HIPAA violation, since e-mail isn't an authenticated or encrypted communications channel. The "medical records" person, who should know the law, was the sender of the e-mail.
In my case, none of them are nefarious, but represent clueless users or even worse, clueless sales clerks (such as Lenscrafters in Maryland), the Apple store in Manhattan, and others too numerous to mention.
If people want to make up an address - then firstname.lastname@example.org - is the best one to use. It is invalid by definition in the Internet RFCs.
In hindsight, I realized that my gmail address is too short, and it should have the same length as a password (about 15 characters).