The phrase “Limited Account Access” is something we all see pretty regularly
– unless our spam filter is really, really good. Spoofing a “Limited Account
Access” notification is an extremely common approach used by scammers to trick
you into giving them access to your PayPal account, or perhaps information that
could be used for purposes of identity theft.
So, naturally, when I received that message for the hundredth time, I gave
it very little notice.
Until, that is, I logged into my PayPal account.
Here’s the message that started it all:
To be honest, I wasn’t really sure what to make of that. My account isn’t heavily used – it’s one payment option for BuyLeoALatte.com and BuyLeoABeer.com, and for advertisers who purchase ads in my newsletter on Ask Leo! directly from me. It’s not a lot of traffic.
Perhaps the small transactions for the lattes triggered something; who knows.
So, they wanted to do a credit check. I’ve no real problem with that, as I’m certain that they do have legitimate issues of fraud to defend against, and doing such a check is certainly one approach to confirming, or at least increasing confidence in, the validity of the account holder.
The question you should be asking right now is this: how did I know it was real, and not a scam?
That was pretty simple really:
There were no links in the email. Good for PayPal for that. I do keep preaching “don’t click on links in suspicious emails”, and one of the best ways that a legitimate email can reduce suspicions is simply not to have any. You must log in to your account for the next steps, whatever they might be.
Logging into my PayPal account confirmed the message. I’ll note that I was very careful in how I logged in – making sure that the site was https, and that my browser displayed the green security confirmation that PayPal’s secure connection provides.
Logging into the web site manually – not through any provided link – is the only safe way to determine that a notification you receive is valid. If the website confirms the notification – as PayPal did when I logged in by telling me I had limited account access – then the email can be considered legitimate. If not – if there’s nothing on the site after logging in relating to the notification in any way, then it’s likely a scam and should be ignored. If that concerns you, then you should independently contact the customer service department (again, not using any links or email addresses provided in the email) to double check.
Once I logged in I was directed to PayPal’s “Resolution Center”, where I was asked to provide my address (odd, since they have it on file already, but I did), and my Social Security Number (SSN). To their credit, they provided alternate means of providing the SSN should I be unwilling to type it in online, but it was still the SSN they wanted.
After once again confirming my SSL connection to PayPal, I gave it to them.
And they rejected it.
The problem is that I have two PayPal accounts – one for my personal use, and one for my business. It was my business account that this kerfuffle was all about, and my SSN had already been associated with my personal account. You apparently can’t use the same SSN on two accounts.
At this point, I simply decided that they had more than enough information to do the credit report as it was. Perhaps it would resolve on its own.
So I went on vacation for three weeks.
While on vacation:
Up until now the “limited account access” had (presumably) been some limitation like being unable to transfer funds to my bank account. Unfortunately, this new limitation meant I couldn’t make payments.
I found that out while on vacation when my World of Warcraft subscription payment failed.
So, when I returned from vacation, I took up the issue again, trying to provide PayPal the information they’d requested.
They did provide a phone number to call that – amazingly – got me to a real, live person. I was first instructed to “upgrade” my account to a business account, and that should allow me to enter my business’s tax ID number (TIN) in lieu of my SSN.
Back on the phone. Apparently, what I really needed to do was to fax (!) a copy of my driver’s license and a specific confirmation of my tax ID (the IRS notification assigning it) to PayPal.
Oh, and the addresses all had to match. Fortunately, they did.
Now, I’m a really patient and generally forgiving guy. Some would say too much so.
But this was starting to piss me off.
It’s also when I started looking into additional payment options, like Google Checkout.
I have no idea why they couldn’t verify my tax ID – it’s legitimate, public and all quite correct.
What they wanted, once again, was my SSN. And my driver’s licence (again). I faxed everything: TID, SSN, driver’s license, confirmation of TID, and an explanation of my two accounts along with a few polite words about how frustrating this was becoming.
And logging in, sure enough, all the warnings had disappeared. My first action? Transfer the majority of the funds in my account – previously inaccessible to me – to my bank account.
What an ordeal. Had I been relying on this account to make real time payments (or even more or less real time) my business could have been seriously compromised.
I get that PayPal has a hard job maintaining the legitimacy of their account base. However, they seem to ignore most of the criticisms leveled at them for the painfulness, and seemingly arbitrary nature of this process.
PayPal should know by now not to use email that is so commonly copied for phishing scams. This just floors me. (While I’ve shown four examples above, in reality there were perhaps at least twice as many.) There should be one email message only: “please login to your account for an important message”. Nothing else should ever be transmitted in email. Were my email stream unsecure (as many are), someone sniffing could have taken advantage of my plight and attempted to scam me at a very vulnerable time.
PayPal should be more transparent. Why was I selected for this screening? Why was my TIN not confirmed? How do I know this won’t happen again? (I don’t.)
PayPal should assign a customer service representative to each case (I spoke to two different ones), and they should have direct lines, and be able to answer all questions and walk through the process of re-establishing account access as rapidly as possible. As it was, my ordeal involved a messy combination of email, phone and fax.
To their credit PayPal is doing some things right, like using no links in email and only communicating sensitive information via your account when logged in. And, I have to say, that the customer service representatives were pleasant and helpful (albeit it in the first case, wrong).
There’s a lot of angst around PayPal, and a lot of resentment and even hatred. I can sympathize.
I’ll still use PayPal – it’s such a ubiquitous and convenient system it’s hard not to.
But I’ll definitely be keeping my options open, using alternate methods more frequently, and making sure to keep my balance at PayPal as low as is practical.
It’s too bad. It wouldn’t take much for PayPal to be so much better than they are.
[Note: because of the number of folks who simply want to rant about PayPal whenever they can, I’m not going to accept comments on this article. Yes, there are many people who have fared much, much worse than I have. On the other hand, there are also many, many people who use PayPal successfully every day. My only advice: use it, but do so with some caution. As I’ve always advocated, and as I’ve always done myself.]