Just copy the text he sent you and do a search for it; it usually surfaces other examples of this scam.
What has likely happened is that some old site you used has been compromised, and they are using the pwd from that to fool you into thinking they have your real details. This works when people don’t change their passwords, for example. They think, omg they have my pwd.
You can check if that email address has ever been compromised, and by what sites, at https://haveibeenpwned.com/ (seriously)
Edit - yes, it is probably a scam and nothing to worry about. Do the steps above though for your own peace of mind!