I don't usually look carefully at emails I get purporting to be from PayPal; I know they're frauds. But this one is fairly impressive.

Here's the correct URL to PayPal's login screen
https://www.paypal.com/cgi-bin/webscr?cmd=\_login-run

Here's the text of the link that appears in the phishing email:
https://www.paypal.com/us/cgi-bin/webscr?cmd=\_login-run

And, here's the actual URL for that link, which I could see by hovering over it, or by right-clicking and choosing Copy Link, then pasting into a text editor.
http://www-paypal.org/us/cgi-bin/webscrcmd=\_login+run/index.htm?logIN=upDate

Now, as expected, the link text is almost exactly like the actual PayPal URL. But what's unexpected is how close the actual URL is to the PayPal URL. A casual eye would say they're close enough to be legitimate.

The phishing URL is different in these critical ways:
1. The PayPal domain is ]www.paypal.com. The phishing domain is www-paypal.org. Someone went to the trouble of registering this.

2. The PayPal path is /cgi-bin/. This is followed by a CGI command (or filename, not sure which), "webscr", and then the parameters and arguments for the command, cmd=_login-run

3. However, the phishing path is us/cgi-bin/webscrcmd=_login+run/. Do you see how they make it look almost like the CGI command? This is followed by a standard web page, "index.htm", which is receiving a bogus parameter and argument "logIN=upDate".

4. I opened just the phishing index page. It looks almost exactly like the main PayPal page. The only difference is that, if you try to log in, you'll be passing your username and password to the thieves instead of PayPal.