Manual Payment Cloaking (Invoicing & Direct Payments)

Manual Payment Cloaking (or Direct Invoicing) is a technique where merchants abandon automated website-based checkouts entirely. Instead, they shift the transaction flow to manual channels (messaging apps, email) and use direct payment links or invoices generated from a dashboard.

📝 Summary

Technique: Off-platform negotiation & manual invoicing.
Goal: Eliminate the digital footprint associated with automated web checkouts (redirects, SDK telemetry, referrer headers).
Risk Score: High.

By removing the "Buy Now" button from the website, the merchant effectively blinds the PSP's automated crawlers. The crawler sees a brochure site with no e-commerce functionality, while the actual transaction metadata (product name, user session) is decoupled from the payment.

🏢 Business Behavior (The "Consulting" Veneer)

In this scenario, a merchant selling high-risk goods (e.g., unlicensed IPTV subscriptions, gray-market digital tools) operates a clean, compliant-looking website.

The Storefront: A professional site offering "Digital Consulting" or "Premium Support Services".
The Call to Action: Instead of a cart, users see "Contact us for a custom quote" or "Chat with an agent".
The Negotiation: The customer contacts the merchant via WhatsApp, Telegram, or Email.
The Payment: The merchant manually generates a payment request using:
- Stripe/PayPal Invoices: Sends a link to pay.stripe.com/...
- P2P Apps: Requests funds via CashApp, Venmo, or PayPal F&F.
- Bank Transfer: Provides IBAN/SWIFT details or a Wise/Revolut payment link.

📉 Missing Metadata

When moving to manual invoicing, PSPs lose critical detection signals:

❌ Referrer Header: The payment page is opened directly from a chat app, not referred by a website.
❌ Session Telemetry: No stripe.js or paypal-sdk loading on the merchant's site to track user behavior.
❌ Cart Data: Line items are generic ("Consulting Hours") rather than specific SKUs.
❌ Device Fingerprint: The payer's device is never linked to the merchant's website visit in the PSP's logs.

🏗 Technical Architecture

Frontend (The Shell)

Static Content: HTML/CSS only. No e-commerce plugins (WooCommerce, Shopify).
No SDKs: No payment processor JavaScript libraries loaded.
Contact-Only: Forms lead to CRM/Chat, not checkout.

Backend (The Manual Loop)

Dashboard Usage: Merchant logs into the PSP dashboard manually to create invoices.
Link Distribution: Links are copied/pasted into chat windows.
Generic Descriptors: All invoices use vague terms like "Professional Services", "Design Fee", or "Software Licensing".

📊 Flow Diagrams

User Flow

mermaid

flowchart LR
    User([User]) -->|Chat/Email| Chat[Chat App<br/>WhatsApp/Telegram]
    Chat -->|Negotiation| Merchant[Merchant]
    Merchant -->|Manual Create| Dashboard[PSP Dashboard]
    Dashboard -->|Generate Link| Link[Invoice Link]
    Link -->|Send via Chat| Chat
    Chat -->|Click| PSP[PSP Checkout]
    PSP -->|Payment| Merchant

Metadata Visibility Gap

mermaid

flowchart TD
    Website[Merchant Website] -.->|No Traffic| PSP[PSP Risk Engine]
    Chat[Chat App] -.->|Direct Link Click| PSP
    PSP -->|Sees| Invoice["Invoice #123<br/>'Services'"]
    PSP -->|Misses| Referrer[Referrer Header]
    PSP -->|Misses| Cart[SKU Details]
    PSP -->|Misses| Session[User Session Graph]

🕵️‍♂️ Why PSP Detection Struggles

No Website Crawl Target: The crawler visits the website and finds nothing to audit. It categorizes the site as "Brochure/Informational".
Broken Chain: There is no HTTP redirect chain to trace. The link is opened in a fresh browser tab from an external app (WhatsApp), often appearing as "Direct" or "Dark" traffic.
Semantic Obfuscation: "Consulting" is a valid, high-ticket service. A $500 invoice for "5 Hours of Consulting" is indistinguishable from a $500 payment for "Lifetime IPTV Access" based on the invoice text alone.
Geographic Dispersion: Payment link clicks come from diverse residential IPs (the customers), not a centralized server, making IP velocity checks harder.
Decoupling: The PSP cannot algorithmically correlate the user's visit to the website with the subsequent payment.

🏦 PSP Detection Probability

Traditional Processors

Provider	Detection Probability	Detection Analysis
Stripe	80%	Strong. Flags accounts with high volume but 0% API usage. Heavily scrutinizes "Manual Invoice" velocity. Use of generic descriptions triggers manual review.
PayPal	85%	Very Strong. "Business in a Box" monitoring. If a new account sends 50 invoices for "Services" in week 1, funds are frozen immediately pending contract proof.
Square	85%	Strong. Very sensitive to Card-Not-Present (CNP) manual entry or invoice volume without corresponding POS activity.
Shopify Payments	70%	Medium. Allows "Draft Orders" (manual links), but flags high volume if there are no corresponding "Online Store" sessions.
Adyen	60%	Medium. Focused on enterprise API integration. Manual Pay-by-Link is less common for their typical risk profile, potentially allowing some slip-through.
Authorize.net	50%	Medium. "Virtual Terminal" usage is standard for B2B. Harder to distinguish fraud from legit B2B without manual audit.
Worldpay	60%	Medium. Relies on chargeback monitoring. High volume of manual links may trigger a compliance audit.
Checkout.com	75%	Strong. Analyzes payment link velocity and "Time-to-Pay" metrics.

Manual & P2P Channels

Channel	Detection Probability	Detection Analysis
PayPal F&F	20%	Very Weak. Designed for personal transfers. Extremely hard to police unless volume is massive ($10k+/mo).
CashApp / Venmo	20%	Very Weak. Personal P2P apps have loose commercial monitoring limits compared to merchant accounts.
Wise	90%	Very Strong. Strict compliance. Demands invoices/contracts for almost all inbound commercial transfers.
Revolut Business	92%	Very Strong. Aggressive AML algorithms. Blocks accounts receiving frequent transfers from unrelated individuals without clear documentation.
N26 / Local Bank	40%	Weak. Banks look for money laundering (structuring), not merchant category violations. "Consulting" wires usually pass.
WhatsApp Pay	30%	Weak. Hard to distinguish from personal transactions in markets where it's active.

🛡️ Detection Strategies

Risk engineering teams can deploy specific heuristics to catch manual cloaking:

1. Invoice Pattern Clustering

Analyze the text entropy of invoice descriptions.

Signal: 500 invoices issued with the exact string "Consulting Services".
Reality: Real consultants customize invoices ("Project Alpha - Milestone 2"). Zero variance implies automation or cloaking.

2. Link-Opening Telemetry

Signal: If the PSP hosts the invoice page, they can see the Referer header.
Anomaly: 100% of traffic comes from android-app://com.whatsapp or t.me (Telegram). Legitimate B2B invoices are usually opened from webmail (Gmail/Outlook).

3. Velocity of "Creation vs. Payment"

Signal: In manual cloaking, the link is often generated while chatting.
Anomaly: Burst of 10 invoices created in 5 minutes, all paid within 2 minutes. Human consultants don't work that fast.

4. "Synthetic User" Operations

Strategy: Risk teams pose as customers (Mystery Shopping) to solicit a payment link, then trace the link back to the merchant account ID.

💻 Example Defensive Pseudocode

1. Description Anomaly Detection (TypeScript)

typescript

// Detects if a merchant is spamming identical generic invoices
function detectGenericInvoiceSpam(invoices: Invoice[]): RiskScore {
    const genericTerms = ["services", "consulting", "fees", "digital goods"];
    let exactMatchCount = 0;
    
    // Check for exact description repetition
    const descriptions = invoices.map(i => i.description.toLowerCase().trim());
    const uniqueDesc = new Set(descriptions);
    
    // If 100 invoices have only 1 unique description
    if (invoices.length > 50 && uniqueDesc.size === 1) {
        // And that description is generic
        if (genericTerms.some(term => descriptions[0].includes(term))) {
            return RiskScore.HIGH;
        }
    }
    
    return RiskScore.LOW;
}

2. Chat App Correlation (Pseudo-SQL)

sql

-- Detect payments originating primarily from chat apps instead of email/web
SELECT 
    merchant_id,
    COUNT(*) as total_txns,
    SUM(CASE WHEN referrer LIKE '%whatsapp%' OR referrer LIKE '%telegram%' THEN 1 ELSE 0 END) as chat_traffic
FROM payment_page_views
GROUP BY merchant_id
HAVING total_txns > 20 
AND (chat_traffic / total_txns) > 0.80; -- >80% traffic from Chat Apps

3. Payment Link Velocity Scoring

typescript

// Flag rapid-fire invoice creation typical of "shift" work or bot usage
function checkInvoiceVelocity(events: AuditLog[]): Alert {
    // Filter for "Invoice Created" events
    const creations = events.filter(e => e.type === 'INVOICE_CREATED');
    
    // Check time gaps between creations
    for (let i = 1; i < creations.length; i++) {
        const timeDiff = creations[i].timestamp - creations[i-1].timestamp;
        
        // If multiple invoices created within 10 seconds of each other manually
        if (timeDiff < 10000) { 
             return { alert: "Bot-like manual invoice creation detected" };
        }
    }
    return { alert: "Normal" };
}

Manual Payment Cloaking (Invoicing & Direct Payments) ​

📝 Summary ​

🏢 Business Behavior (The "Consulting" Veneer) ​

📉 Missing Metadata ​

🏗 Technical Architecture ​

Frontend (The Shell) ​

Backend (The Manual Loop) ​

📊 Flow Diagrams ​

User Flow ​

Metadata Visibility Gap ​

🕵️‍♂️ Why PSP Detection Struggles ​

🏦 PSP Detection Probability ​

Traditional Processors ​

Manual & P2P Channels ​

🛡️ Detection Strategies ​

1. Invoice Pattern Clustering ​

2. Link-Opening Telemetry ​

3. Velocity of "Creation vs. Payment" ​

4. "Synthetic User" Operations ​

💻 Example Defensive Pseudocode ​

1. Description Anomaly Detection (TypeScript) ​

2. Chat App Correlation (Pseudo-SQL) ​

3. Payment Link Velocity Scoring ​