Helping people with computers... one answer at a time.

"Limited Account Access" is a common phrase you'll find in many phishing scams. Occasionally, though, it's a legitimate notification from PayPal.

The phrase "Limited Account Access" is something we all see pretty regularly - unless our spam filter is really, really good. Spoofing a "Limited Account Access" notification is an extremely common approach used by scammers to trick you into giving them access to your PayPal account, or perhaps information that could be used for purposes of identity theft.

So, naturally, when I received that message for the hundredth time, I gave it very little notice.

Until, that is, I logged into my PayPal account.

Here's the message that started it all:

Subject: Notification of Limited Account Access RXI079

Hello Leo Notenboom,

As part of our security measures, we regularly screen activity in the PayPal system. During a recent screening, we noticed an issue regarding your account.

PayPal occasionally performs credit checks on selected account holders. Your account has been selected to go through this process. We must complete a credit review in order for the warning on your account to be lifted. In most cases, the account holder's personal credit is analyzed using a Social Security number and an address likely to generate a match with a credit bureau. Please log into your PayPal account to provide this information. If an examination of your business credit would be more appropriate, please contact our customer service department to supply your Tax ID number.

(etc...)

To be honest, I wasn't really sure what to make of that. My account isn't heavily used - it's one payment option for BuyLeoALatte.com and BuyLeoABeer.com, and for advertisers who purchase ads in my newsletter on Ask Leo! directly from me. It's not a lot of traffic.

"I'll still use PayPal - it's such a ubiquitous and convenient system it's hard not to. But I'll definitely be keeping my options open ..."

Perhaps the small transactions for the lattes triggered something; who knows.

So, they wanted to do a credit check. I've no real problem with that, as I'm certain that they do have legitimate issues of fraud to defend against, and doing such a check is certainly one approach to confirming, or at least increasing confidence in, the validity of the account holder.

The question you should be asking right now is this: how did I know it was real, and not a scam?

That was pretty simple really:

  • There were no links in the email. Good for PayPal for that. I do keep preaching "don't click on links in suspicious emails", and one of the best ways that a legitimate email can reduce suspicions is simply not to have any. You must log in to your account for the next steps, whatever they might be.

  • Logging into my PayPal account confirmed the message. I'll note that I was very careful in how I logged in - making sure that the site was https, and that my browser displayed the green security confirmation that PayPal's secure connection provides.

    PayPal's green 'extended validation' security identifier in FireFox

Logging into the web site manually - not through any provided link - is the only safe way to determine that a notification you receive is valid. If the website confirms the notification - as PayPal did when I logged in by telling me I had limited account access - then the email can be considered legitimate. If not - if there's nothing on the site after logging in relating to the notification in any way, then it's likely a scam and should be ignored. If that concerns you, then you should independently contact the customer service department (again, not using any links or email addresses provided in the email) to double check.

Once I logged in I was directed to PayPal's "Resolution Center", where I was asked to provide my address (odd, since they have it on file already, but I did), and my Social Security Number (SSN). To their credit, they provided alternate means of providing the SSN should I be unwilling to type it in online, but it was still the SSN they wanted.

After once again confirming my SSL connection to PayPal, I gave it to them.

And they rejected it.

The problem is that I have two PayPal accounts - one for my personal use, and one for my business. It was my business account that this kerfuffle was all about, and my SSN had already been associated with my personal account. You apparently can't use the same SSN on two accounts.

Sigh.

At this point, I simply decided that they had more than enough information to do the credit report as it was. Perhaps it would resolve on its own.

So I went on vacation for three weeks.

While on vacation:

Subject: Notification of Limited Account Access RXI079

Dear Leo Notenboom,

As part of our security measures, we regularly screen activity in the PayPal system. During a recent screening, we noticed an issue regarding your account.

Because you have not provided the information we requested in the allotted time, we were unable to perform a credit check. Unfortunately, your ability to access your account is now limited, pending your completion of these requirements. You are a valued member of our community, please take a moment to provide the information requested.

(etc...)

Sigh.

Up until now the "limited account access" had (presumably) been some limitation like being unable to transfer funds to my bank account. Unfortunately, this new limitation meant I couldn't make payments.

I found that out while on vacation when my World of Warcraft subscription payment failed.

SIGH.

So, when I returned from vacation, I took up the issue again, trying to provide PayPal the information they'd requested.

They did provide a phone number to call that - amazingly - got me to a real, live person. I was first instructed to "upgrade" my account to a business account, and that should allow me to enter my business's tax ID number (TIN) in lieu of my SSN.

Didn't work.

Back on the phone. Apparently, what I really needed to do was to fax (!) a copy of my driver's license and a specific confirmation of my tax ID (the IRS notification assigning it) to PayPal.

Oh, and the addresses all had to match. Fortunately, they did.

Unfortunately:

Subject: Request for additional information ... RXI079

Hello Puget Sound Software, LLC,

Unfortunately, we were unable to verify your TIN and therefore we will need to have you complete the requested steps below:

(etc...)

Now, I'm a really patient and generally forgiving guy. Some would say too much so.

But this was starting to piss me off.

It's also when I started looking into additional payment options, like Google Checkout.

I have no idea why they couldn't verify my tax ID - it's legitimate, public and all quite correct.

What they wanted, once again, was my SSN. And my driver's licence (again). I faxed everything: TID, SSN, driver's license, confirmation of TID, and an explanation of my two accounts along with a few polite words about how frustrating this was becoming.

This morning:

Subject: Your PayPal Account Access Has Been Restored

Hello Puget Sound Software, LLC,

Our review is complete and we have restored your account.

We appreciate your patience and thank you for your help in making PayPal the safest and most trusted online payment solution.

Thanks,

PayPal

And logging in, sure enough, all the warnings had disappeared. My first action? Transfer the majority of the funds in my account - previously inaccessible to me - to my bank account.

What an ordeal. Had I been relying on this account to make real time payments (or even more or less real time) my business could have been seriously compromised.

Observations

I get that PayPal has a hard job maintaining the legitimacy of their account base. However, they seem to ignore most of the criticisms leveled at them for the painfulness, and seemingly arbitrary nature of this process.

  • PayPal should know by now not to use email that is so commonly copied for phishing scams. This just floors me. (While I've shown four examples above, in reality there were perhaps at least twice as many.) There should be one email message only: "please login to your account for an important message". Nothing else should ever be transmitted in email. Were my email stream unsecure (as many are), someone sniffing could have taken advantage of my plight and attempted to scam me at a very vulnerable time.

  • PayPal should be more transparent. Why was I selected for this screening? Why was my TIN not confirmed? How do I know this won't happen again? (I don't.)

  • PayPal should assign a customer service representative to each case (I spoke to two different ones), and they should have direct lines, and be able to answer all questions and walk through the process of re-establishing account access as rapidly as possible. As it was, my ordeal involved a messy combination of email, phone and fax.

To their credit PayPal is doing some things right, like using no links in email and only communicating sensitive information via your account when logged in. And, I have to say, that the customer service representatives were pleasant and helpful (albeit it in the first case, wrong).

There's a lot of angst around PayPal, and a lot of resentment and even hatred. I can sympathize.

I'll still use PayPal - it's such a ubiquitous and convenient system it's hard not to.

But I'll definitely be keeping my options open, using alternate methods more frequently, and making sure to keep my balance at PayPal as low as is practical.

It's too bad. It wouldn't take much for PayPal to be so much better than they are.

[Note: because of the number of folks who simply want to rant about PayPal whenever they can, I'm not going to accept comments on this article. Yes, there are many people who have fared much, much worse than I have. On the other hand, there are also many, many people who use PayPal successfully every day. My only advice: use it, but do so with some caution. As I've always advocated, and as I've always done myself.]

Article C4151 - February 17, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.