Picking the wrong target for PayPal fraud

I just had someone attempt to defraud me of a few hundred dollars. He was obviously watching eBay, and noticed I’d just won an auction. So he spammed me an e-mail containing a fake PayPal login page as HTML, with the <FORM> element changed to grab a copy of my username and password via a CGI script. Presumably at that point he’d wire himself $600 or so, which is the maximum possible with my PayPal account since I haven’t verified.