It's good to be suspicious. I had an issue where one of my two EA/Origin accounts had someone ask to reset my password, so I closed the account. I would suggest going to the EA page and reset your password there, ensuring that you are at an HTTPS site that identifies itself properly before changing anything. You can also apply two-factor auth to your account using the Google Authenticator, which is also useful.
The HTTP link could be a redirect through whatever service they use for mass emails, and the policy boilerplate about clickable links could be something someone stupidly ignored. If you're suspicious, though, no harm in not clicking.