In an FTC enforcement action against ITMedia Solutions, investigators found that 84% of the loan applications the company collected were never sold to lenders. Not once. They went to marketers, debt relief sellers, and data resellers instead. The company had positioned itself as a path to a personal loan. It was, in practice, a data harvesting operation that happened to look like a lending site.
That case resulted in a $1.5 million penalty. But ITMedia was not an outlier. It was a business model.
You Applied for One Loan and Got Eight Phone Calls
If you have ever filled out what looked like a loan application online, only to have your phone light up within the hour with calls from companies you have never heard of, you already know something went wrong. You just may not know what.
Here is what happened: you did not apply for a loan. You submitted your personal information, including your name, Social Security number, income, and employer, into a lead-generation form. That form fed your data into what the industry calls a "ping tree." Your application was broadcast to dozens, sometimes over a hundred, potential buyers simultaneously. The highest bidder got first crack at you. Everyone else got your information too, or a version of it.
A single application can generate leads priced anywhere from $0.01 for low-quality data to $250 for a verified, high-intent borrower. The economics are simple: the site makes money whether or not you get a loan. Your data is the product.
The Three Types of Sites You Will Encounter
Not every online lending site works the same way, but most bad credit borrowers cannot tell them apart. That confusion is profitable for the wrong people.
Direct lenders originate the loan themselves. They underwrite your application using their own criteria, fund the loan from their own capital or credit facility, and service the debt. When you apply on a direct lender's site, your data stays with that lender (subject to their privacy policy, which you should still read). Examples include OneMain Financial, Avant, and LendingClub.
Lending marketplaces operate as intermediaries. You fill out one application, and the marketplace matches you with lenders in its network. The difference between a marketplace and a lead generator is supposed to be transparency and curation. A legitimate marketplace discloses that it is not a lender, names its partners, and gives you the option to choose among offers. Credible and LendingTree operate this way.
Lead generators look like lenders or marketplaces but function as neither. They collect your information and sell it, often through ping trees, to whoever pays. Some sell exclusively to lenders. Many do not. The FTC's case against Blue Global Media found that the company claimed "four out of every five" applicants were approved and that data was "completely protected 24/7 GUARANTEED," while selling applications to entities that could not even provide a business address.
The problem is that all three types of sites can look nearly identical. Same clean design, same "Apply Now" button, same promise of fast funding. The differences hide in the fine print.
Why This Problem Is Getting Worse
The CFPB received 6.6 million consumer complaints in 2025, nearly double the 3.2 million it received the year before. TCPA class action filings (largely driven by unwanted marketing calls from lead buyers) increased 97% year-over-year through October 2025, with 1,807 class actions filed compared to 915 in the same period of 2024.
Those numbers tell a story about scale. The lead-generation industry has grown faster than the regulatory infrastructure designed to police it. And borrowers with bad credit are the most vulnerable targets, because they apply more frequently, get denied more often, and are more likely to try unfamiliar sites out of desperation.
There is some regulatory movement. The Homebuyers Privacy Protection Act, effective March 2026, requires consumers to affirmatively consent before credit inquiry data can be used for direct marketing or lead generation. That law applies to mortgage lending specifically, but it signals a trend. Whether similar protections will extend to personal lending remains to be seen.
The 7-Point Vetting Checklist: What to Check Before You Hit "Apply"
You can identify most lead generators before submitting your information. It requires about five minutes of reading that most people skip. Do not skip it.
1. Read the Footer Disclaimer
Scroll to the very bottom of the page. Lead generators are often required to disclose that they are not lenders. Look for language like "we are not a lender," "this is not a loan offer," "by submitting your information you consent to be contacted by our network of lenders and partners," or "your information may be shared with up to [X] lending partners." If you see any of those phrases, you are on a lead-generation site.
2. Search for State License Numbers
Legitimate lenders must be licensed in every state where they operate. Most display their license numbers on their website, usually on the legal disclosures or "About" page. If the site lists no licensing information, that is a red flag. Note: there is no single federal database for verifying personal loan lender licenses across all states. You will need to check with your state's banking or financial regulation department directly.
3. Look for "Lender Network" Language
Direct lenders describe their own products. Lead generators and some marketplaces describe their "network of lenders" or "lending partners." This language tells you that the site itself is not making the lending decision. That is not automatically bad (marketplaces use it too), but it means you need to dig deeper into how your data will be handled.
4. Verify a Physical Address
Search for the company's physical address. Look it up. A legitimate lender will have real offices. If the site provides no address, or if the address leads to a virtual office or PO box, proceed with caution. Blue Global Media, the FTC target mentioned earlier, sold applications to entities that could not provide a business address at all.
5. Check for Origination Disclosures
Before any legitimate lender funds a loan, they are required under the Truth in Lending Act to disclose the APR, total finance charges, and repayment terms. If the site promises "instant approval" but never shows you specific loan terms with an APR before asking for your Social Security number, you are likely on a lead-generation site.
6. Read the Privacy Policy Sharing Section
This is the most important step and the one almost nobody takes. Open the privacy policy and search for terms like "share," "sell," "third party," and "affiliate." The Gramm-Leach-Bliley Act requires financial institutions to disclose how they share consumer data with nonaffiliated third parties. A direct lender's privacy policy will describe limited, specific sharing. A lead generator's policy will describe broad sharing with "marketing partners," "service providers," and "affiliated companies" in language designed to cover as many recipients as possible.
7. Google the Company Name Plus "Complaints"
Search the company name alongside words like "complaints," "calls," "spam," or "scam." Check the CFPB complaint database and the Better Business Bureau. If borrowers consistently report receiving calls from unknown companies after applying, the site is almost certainly feeding a ping tree.
When Lead Generation Crosses Into Scam Territory
Lead generation is not inherently illegal. Many legitimate lending marketplaces use variations of the model. The line between legal aggregation and predatory data harvesting is often about disclosure and intent.
But some signs push a site clearly into scam territory:
- Upfront fees. No legitimate lender charges a fee before approving and funding a loan. If a site asks for payment before you receive money, walk away.
- No verifiable business address or licensing. A company that cannot prove it is a registered business in any state has no accountability.
- Pressure to act immediately. "This offer expires in 10 minutes" is a manipulation tactic. Real loan offers do not evaporate.
- Guaranteed approval regardless of credit. No legitimate lender guarantees approval. If someone promises it, they are collecting data, not underwriting loans.
For a deeper dive into specific scam patterns and how to verify any lender's legitimacy, the 10-minute lender verification checklist covers the six steps you should take before sharing personal information with anyone.
Your Data Has Already Been Shared. Now What?
If you have already submitted your information to a site that turned out to be a lead generator, the damage is not irreversible. But you need to act.
Opt out of further sharing. Under the Gramm-Leach-Bliley Act, you have the right to opt out of information sharing with nonaffiliated third parties. That opt-out remains effective until you revoke it. Contact the company (if you can identify it) and request the opt-out in writing.
Freeze your credit inquiries. If you are concerned about unauthorized credit pulls, you can place a fraud alert or credit freeze with all three bureaus (Equifax, Experian, TransUnion). This will not affect your existing accounts but will prevent new inquiries.
Opt out of prescreened offers. Visit OptOutPrescreen.com, a service run by the major credit bureaus, to stop prescreened credit and insurance offers. You can opt out for five years online or permanently by mail.
File a complaint. The FTC accepts complaints at ReportFraud.ftc.gov. The CFPB accepts complaints at consumerfinance.gov/complaint. Filing a complaint may not get your data back, but it contributes to enforcement patterns that lead to actions like the ITMedia case.
How to Protect Yourself Going Forward
The simplest protection is also the most effective: apply directly on lender websites, not through intermediary sites you found through ads or search results you did not verify.
If you want to compare multiple lenders, use established marketplaces (Credible, LendingTree) that allow pre-qualification through soft credit pulls, meaning no impact to your score and no commitment. Read their data-sharing disclosures before submitting anything.
Before applying anywhere, spend five minutes on the vetting checklist above. Check the footer. Search for licenses. Read the privacy policy's sharing section. Those five minutes can save you months of unwanted calls and the risk of your financial data circulating through networks you never consented to.
The "instant approval" promise is almost always a tell. Real underwriting takes time because real lenders are evaluating whether they can responsibly lend to you. A site that skips that evaluation is not trying to lend you money. It is trying to sell your information to someone who might. Understanding what lenders actually evaluate beyond your credit score gives you a clearer picture of what real underwriting looks like versus a data collection form.
Why This Matters for Bad Credit Borrowers Specifically
Borrowers with good credit have options. They get pre-qualified offers from banks they already use. They compare rates on established platforms. They have leverage.
Borrowers with bad credit search more broadly, apply more often, and are more willing to try unfamiliar sites. That behavioral pattern makes them the most profitable targets for lead generators. The CFPB's complaint data, the TCPA lawsuit surge, and the FTC's enforcement history all point to the same conclusion: the people who can least afford to have their data exploited are the ones most likely to experience it.
Knowing how to vet an online lender is not just good practice. For bad credit borrowers, it is a form of financial self-defense.
Frequently Asked Questions About Online Lender Vetting
How can I tell if a website is a direct lender or a lead generator?
Check the footer for disclaimers like "we are not a lender" or "your information may be shared with our lending partners." Direct lenders display state license numbers, describe their own loan products with specific terms, and do not reference a "network" of lenders. Lead generators describe partner networks and include broad data-sharing language in their privacy policies.
Is it illegal for a website to sell my loan application data?
Not necessarily. Lead generation is legal when the company discloses its practices and obtains consent. However, the FTC has taken enforcement action against lead generators that misrepresented themselves as lenders or sold data to non-lending entities. The legality depends on whether the company's disclosures were accurate and whether your consent was meaningfully obtained.
What is a ping tree in online lending?
A ping tree is a system where your loan application is broadcast to multiple potential buyers (lenders, marketplaces, or other data purchasers) simultaneously. The highest bidder gets your application first. If they decline, it moves to the next bidder, and so on. A single application can be pinged to 10, 50, or more buyers in a matter of seconds.
What should I do if I start getting calls from lenders I never contacted?
Your data was likely sold through a lead-generation network. Opt out of further sharing under the Gramm-Leach-Bliley Act, place a fraud alert or credit freeze with all three credit bureaus, opt out of prescreened offers at OptOutPrescreen.com, and file complaints with the FTC (ReportFraud.ftc.gov) and the CFPB (consumerfinance.gov/complaint).
Are all lending marketplaces the same as lead generators?
No. Legitimate lending marketplaces like Credible and LendingTree disclose their role as intermediaries, offer pre-qualification with soft credit pulls, and let you choose among specific loan offers from identified lenders. Lead generators typically provide no specific offers, collect sensitive data upfront, and sell your information broadly without giving you a choice among lenders.
