The unfortunate reality is that it’s all too common for customer service agents to find ways of placing fraudulent orders or altering legitimate orders so they can receive multiple free product shipments. Not only could you be losing merchandise, you could also lose upset customers whose orders have been shipped to an agent’s personal address.

OrangeCRM provides many features that are designed to protect against fraudulent orders; help you monitor CSR actions and quickly identify unauthorized activity.

Are you using all of these tools to their full potential?

Listed below are several useful suggestions and preventative measures that can help you minimize the risk of employee theft in OrangeCRM.

Closely manage and frequently monitor cash customers. Since cash transactions are auto approved by the CRM (if you allow cash transactions), CSRs could possibly find a way to enter cash orders that will be shipped to their personal address. If agents have access to your online shopping cart, don’t give them the ability to enter cash orders. Reserve that duty for managers or supervisors. If you have OrangeSOAP installed in your CRM and you allow agents to enter cash orders, make sure you frequently check those orders for suspicious activity. You can use the Quick Find Search to retrieve a list of cash customers created over a timespan. Look for warning signs such as multiple customers with the same name and/or address, as well as multiple Address Update or Fulfillment Resend Events in the OrangeEvent tab of a customer record.

Don’t give unauthorized users the ability to create a new Lead in OrangeCRM. Approved Leads create new Customer records. To prevent reps from creating fraudulent Customers from new Leads, make sure CSRs don’t have the MenuLead role, which provides access to the New Lead menu option.

Block users from accessing OrangeCRM from unapproved locations, such as their home. Restricting access to approved work locations only, should significantly decrease the risk of fraudulent CSR activity. You can control this by creating an IP Whitelist in the IP Address tab of an ACL User record.

Don’t allow CSRs to submit new fulfillment requests for product shipments. Otherwise, reps could send themselves multiple free products. To eliminate that possibility, disable the Allow CSR Selection option on master product fulfillments, which will prevent users from being able to select them from the Request New Fulfillment action on a customer record.

Only allow managers or supervisors to submit reship requests. CSRs could potentially use the Resend Fulfillment action on a previous customer fulfillment to repeatedly ship merchandise to themselves. If your typical daily number of reship requests isn’t too high, you could add an increased measure of security by only allowing them to be submitted by users with the MgrAccess role. This can be controlled by enabling the Role Security feature on Fulfillment Events. To support this approach, you would need to train your CSRs to submit an OrangeTask ticket for each reship request, which would be resolved by a manager or supervisor who has the MgrAccess role.

Perform daily audits on Customer Events. Look specifically for multiple Address Update and/or Fulfillment Resend Events in the OrangeEvent tab of customer records. There are a few ways to check for this:

  • If your reps typically process a fairly small number of address updates and reship requests each day, you can review a historical record of such actions in the Events For Approval list by enabling the Require Signoff feature on select Events.
  • If your reps normally process a large quantity of events on a daily basis, it may be more practical to use the CSR Event Comparison report to quickly identify any agents who are performing Customer Update and/or Fulfillment Events significantly more often than the other agents. This would serve as a red flag that prompts you to investigate the details of such events.
  • You may also choose to perform a check on numerous randomly selected Customer Update and Fulfillment Events by using the Quick Find Search to retrieve a list of all Events performed on a particular day.

Make sure you can trace each Event back to the person who performed it. Don’t allow users to share logins and never use generic usernames, like Agent 1. Usernames should clearly identify each individual user. Always create a unique username and password for each agent.

If you need step by step instructions on how to implement any of these suggestions, please refer to the OrangeCRM Help Guide at If you need further assistance, phone support is also available at (770) 227-0036 Ext 1.