Be sure to check those URLs very closely
I quickly mentioned a while back that Barney had been taken for some cash by a PayPal scam. He's written up a story about his experiences, and this should be a lesson to everybody: 1) PayPal will never ask for your PIN, and 2) Is it really PayPal? URL spoofing is the most common way of hiding this sort of thing. Looking through my logs, this is the URL that Barney was sent to (but, on his defense, you couldn't really tell you were going here as it was an HTML formatted message):
Needless to say, it's not PayPal, it's 184.108.40.206 which is an IP address in Asia. That's a complicated and ugly way of hiding URLs, but there are simplier ones:
You could put (nearly) anything in front of that "@" sign, and get this page:
Here's a good writeup on the various tricks used to obscure URLs. Regardless, make sure you're really going to the right place. Otherwise, you'll have to deal with what Barney did.