“How can you know someone has not hacked mail and built a dummy site to capture passwords?”
That part is easy, at least as I read the message - first assume the message is fraudulent, so never click on the provided links. Then log on to Carbonite the usual way (as if you never got the message), then change the password the normal way (again, as if the message never came).
It’s like getting a credit card warning by E-Mail, or even Snail Mail - if you think it’s legit, you look at the phone number on the back of the credit card, call them, and tell them you got an E-Mail regarding (whatever).
I am so paranoid I’m getting leery of websites!