Uh, the fact that normal paypal integrations redirect you to a https://paypal.com page that has paypal.com in the url bar, and a green mark for an ssl certificate that says "Paypal, Inc [US]"? Which we have trained everyone to look out for.
If from the beginning users were trained to only login to Paypal if they're on paypal.com. Could be accomplished in this sort of transaction via a new popup window.
Of course, the horse is long out of the barn on this.