McHamish is right about the “active” email list thing,
However that can also be triggered by opening the email in the first place, so unfortunately not always possible to avoid.
However clicking any links is a full on no-no.
If you hover your mouse over a link your browser will tell you where it is directing to in the bottom left (usually) of your browser window. If it doesn’t look legit, don’t click.
I also seem to recall the proper emails from PayPal etc don’t contain login links – they simply direct you to the main site to log in manually.
As always, common sense is the main weapon. I have my PayPal account locked down with two factor authentication – I have had a number of “You’ve just bought XXX for £YYY” emails that looked genuine enough on a quick glance that I was able to delete without even opening because I know I haven’t used a two factor authentication code.