New PayPal Phishing Scam Advises Users via SMS that their Account has been Limited

A new PayPal phishing scam is being conducted via SMS messages that informs users that their PayPal account has been permanently set to ‘limited’ status, which restricts sending, receiving, or withdrawing money from PayPal accounts.

The limited status is applied to accounts when PayPal detects fraudulent or suspicious activity. PayPal restricts accounts for security reasons, such as when someone other than the legitimate account holder is believed to have accessed a PayPal account without authorization or if the account holder’s bank informs PayPal that the account holder’s payment cared has been used without consent.

The SMS messages used in this scam appear to be genuine notifications from PayPal and include a hyperlink which the user is told to click to verify and secure their account. If the user clicks the link, they will be directed to a website that explains that the limited status has been applied because of possible unauthorized access, unresolved buyer disputes, or credit card chargebacks.

In order to lift the limited status and secure the account, the user is told they need to provide personal information. The user is required to enter their PayPal login information and the scammers also request personal information such as the user’s full name, date of birth, and billing address. That information will be used in phishing attacks to gain additional information to allow the scammers to steal the user’s identity.

PayPal is often spoofed in phishing campaigns. With around 286 million account holders, it is likely that a good percentage of emails and text messages in the campaigns will be directed to PayPal account holders. If PayPal credentials are obtained, accounts can be emptied, and fraudulent payments can be made. Despite the security risks, many people reuse passwords on multiple accounts, so their PayPal password could also allow other accounts to be accessed.

SMS phishing scams – termed smishing – can be more effective than email phishing scams, as security measures are often lacking on smartphones, so it is easier for malware to be installed undetected than attacks on computers. Due to the small screen size, it is also harder for users to view the full URL of a webpage which makes it easier for scammers to fool users into thinking they are visiting a genuine domain.

As with emails, it is important not to click any links in unsolicited SMS messages. If alerted to a security issue, visit the official website of the service provider by entering the domain name into a browser and logging in to check whether there is a genuine issue with your account.

If you fall for a scam such as this, it is important to login to your account and change your password immediately. If you have used the same password on multiple accounts, make sure the password is also changed on those accounts as well and make sure you check your account statements for any fraudulent charges and report them to your bank or card provider immediately.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of