disable built in ticket module
currently when a fraudulent order is made, WHMCS still activates the user, allowing them to login and attempt to hack your system with SQL injection etc.
This needs to be stopped. If the order is fraudulent then the account should not be made active.
An email should also be sent out tot he admin warning of a fraudulent order, so the account can be checked and deleted.