Your cold wallet is safe. This "scam" is called "address poisoning", and it exploits the fact that etherscan.io uses log events from ERC20 tokens to show users their ERC20 activity.
The scammer here created a contract that allows them to create an ERC20 Transfer event and simply used your address string in the "from" field of the event log. They do, however, control the address in the "to" field of the event log, and their hope is that you will not realize that this is fake, and send tokens to it in the future thinking that you've sent tokens to it in the past, especially because it looks so similar to addresses that you have actually sent tokens to.
I am not 100% sure what the end goal of this scam is. Are they hoping that I copy the address that they sent the scam tokens to and send actual funds there?
exactly
Yes, there are multiple ways that you could burn unnecessary arbitrary gas when calling functions on a smart contract.
To start, go to the Yellow Paper, see what some of the most expensive gas operations are, and do those things in your smart contract functions.
Why would you want to do this though?