diff --git a/apps/bff/src/integrations/whmcs/services/whmcs-account-discovery.service.ts b/apps/bff/src/integrations/whmcs/services/whmcs-account-discovery.service.ts
index a32158dc..9f8c1025 100644
--- a/apps/bff/src/integrations/whmcs/services/whmcs-account-discovery.service.ts
+++ b/apps/bff/src/integrations/whmcs/services/whmcs-account-discovery.service.ts
@@ -120,24 +120,14 @@ export class WhmcsAccountDiscoveryService {
         clientId: Number(clientAssociation.id),
       };
     } catch (error) {
-      // Handle "Not Found" specifically — this is expected for discovery
-      if (
-        error instanceof NotFoundException ||
-        (error instanceof Error && error.message.toLowerCase().includes("not found"))
-      ) {
-        return null;
-      }
-
-      // Re-throw all other errors (auth failures, network issues, timeouts, etc.)
-      // to avoid silently masking problems like 403 permission errors
-      this.logger.error(
-        {
-          email,
-          error: extractErrorMessage(error),
-        },
-        "Failed to discover user by email"
+      // Sub-account lookup is best-effort — many WHMCS setups don't expose GetUsers.
+      // Log and return null rather than blocking the flow. The primary client lookup
+      // (findClientByEmail) is the authority; this is supplementary.
+      this.logger.warn(
+        { email, error: extractErrorMessage(error) },
+        "User sub-account lookup unavailable — skipping"
       );
-      throw error;
+      return null;
     }
   }
 
@@ -156,7 +146,6 @@ export class WhmcsAccountDiscoveryService {
     // If no client found, check for a user (sub-account)
     const user = await this.findUserByEmail(email);
     if (user) {
-      // User found - fetch the associated client
       return this.getClientDetailsById(user.clientId);
     }