As you know, you should never sign in to PayPal (or other services) using a link in an e-mail. You should always sign in the normal way.

Unfortunately, though, PayPal has an annoying policy that can encourage phishing and hacking: it sends some routine communications (such as requests to update credit cards) through e-mail but does not include them in an internal message system. The standard advice would be to log on to a program and check for messages there, but PayPal thwarts that protection.