An article in Wired describes a series of social-engineering attacks on PayPal users.

The attack is based on supposed "Security Alert" messages that are received by users and include Visual Basic components in them (.vbs files).

If you receive a note that appears to be from PayPal telling you that you must click on a local file, Don't Do It!

The files apparently start a keyboard tracker and then link to the PayPal site, creating a situation where you will type your user name and password, thus inadvertently giving it to the people who sent the program. NOT a good thing.