If a person is not SURE what they did (if they clicked on a link or not), I would agree with Ron and recommend they go directly to the Paypal site change their password. Seems like an easy thing to do just to be on the safe side.

Ideally, people should change their passwords on a regular basis anyway. Now might be a good time for them to do that. A person can choose to never ever to change their passwords but that's a risk that some people are willing to accept. Just like a person that says, "I never run antivirus and I've never been hit.". That's great UNTIL the first time you get burned.