The following hyperlink reads microsoft.com, but the site it links to is kernel.org:
A similar situation applies to emails that are shown in "original HTML":
However, if you take a closer look (i.e. view the email source code), you will discover that clicking the hyperlink "https://www.paypal.com/de/verifizieren" would open a different address ("http://220.127.116.11/pp/verify.htm?=https://www.paypal.com/=cmd_login_access") in the web browser:
Normally, this address will take you to a form where you are requested to enter login data.
Once the form has been sent, the login data will be transmitted to and stored on the offenders' server.
In most cases, an error message will then appear and you will be taken to the site proper.
There, you can of course log in successfully with our login data.
Websites of banks, savings banks, online payment services (e.g. PayPal), webmail services (to obtain information through a reset, or to send spams) and online shops (e.g. Amazon) seem to be especially worthwhile.
Consequently, further investigations should focus on the URI to which the hyperlink actually leads.