I got the Paypal con job too. It did look pretty good. The thing that gave it away was that it was sent to the wrong address.

Let's say my name is Joe Bloggs. I have a domain joebloggs.co.uk and thus I can make up unlimited email addresses on the spot, of the form
*@joebloggs.co.uk

and for Paypal I have
[email protected].

Any email really from Paypal will have a To: header of
[email protected] - otherwise it's a fake.

The above is a simple and cheap way of protecting one's email address. Every website that asks for an email address is given a slightly different one, and if one of them gets sold to spammers, you just set up a killfilter on it