What a VPN Actually Protects Against (And What It Doesn't)

What a VPN Actually Protects Against (And What It Doesn't)

A VPN is one of the most widely recommended privacy tools available, and for good reason. But the marketing around VPNs often overpromises, leaving users with a false sense of security. Understanding what VPN actually protects against, and where it stops being useful, is genuinely important for anyone building a personal security setup.

The short version: a VPN is excellent at a specific, narrow set of tasks. Outside those tasks, it does almost nothing to protect you from hackers.

What a VPN Genuinely Defends You Against

A VPN works by encrypting your internet traffic and routing it through a server that masks your real IP address. Those two functions directly address several real threats.

Public Wi-Fi interception is the most practical use case for most people. When you connect to an unsecured network at a coffee shop, airport, or hotel, other users on the same network can potentially intercept unencrypted traffic. A VPN encrypts that traffic before it leaves your device, making it unreadable to anyone snooping on the local network. This matters less than it once did now that most websites use HTTPS by default, but there are still scenarios where unencrypted data passes over public networks.

IP address exposure is another area where VPNs deliver real protection. Your IP address can reveal your approximate physical location and, in some cases, be used to identify you across services. Masking it with a VPN server's IP limits what advertisers, websites, and some threat actors can infer about you.

DDoS targeting is a less common but genuine threat, particularly for gamers, streamers, and content creators. A distributed denial-of-service attack floods a target's IP address with junk traffic to knock them offline. If your real IP is hidden behind a VPN server, attackers cannot target your actual connection. The VPN server absorbs the flood instead.

These are real protections. They are just not comprehensive ones.

Where a VPN Falls Short

A VPN cannot inspect, block, or filter what you choose to do with your connection. That means entire categories of attacks bypass it completely.

Phishing is perhaps the most important gap. If you click a malicious link in an email and enter your credentials on a fake login page, a VPN does nothing to stop that. The encrypted tunnel faithfully delivers you to the fraudulent site. The attack succeeds regardless.

Malware works the same way. If you download and execute a malicious file, your VPN has no mechanism to detect or block it. Malware operates at the application layer, well above the network-level protection a VPN provides.

Account compromise through credential stuffing, password reuse, or session hijacking is similarly unaffected. If an attacker obtains your username and password from a breached database, they can log into your accounts from anywhere. Your VPN does not protect those credentials.

Zero-day exploits targeting your browser, operating system, or applications have nothing to do with your IP address or network traffic encryption. They exploit vulnerabilities in software itself.

This pattern extends to sophisticated threats as well. As covered in the recent analysis of Singapore's state-level APT attacks, advanced persistent threat actors use techniques like spear phishing, supply chain compromise, and endpoint exploitation that a VPN simply was not designed to counter. Nation-state level adversaries do not need to intercept your Wi-Fi traffic.

The Complementary Security Stack

Because a VPN covers network-layer threats and almost nothing else, serious security requires layering additional tools.

A password manager with unique, randomly generated passwords per account neutralises credential stuffing attacks. Reused passwords are one of the most common account compromise vectors, and no VPN addresses that.

Multi-factor authentication (MFA) adds a second barrier even if credentials are stolen. Hardware security keys offer the strongest form of MFA, though authenticator apps are a significant improvement over SMS-based codes.

Endpoint protection software handles malware, ransomware, and some exploit attempts at the device level. Combined with keeping your operating system and applications patched and current, this addresses the software vulnerability surface that VPNs cannot touch.

Phishing-resistant email habits and browser extensions that flag suspicious URLs reduce the effectiveness of social engineering attacks. Training yourself to scrutinise links before clicking is, unglamourously, one of the most effective security measures available.

It is worth noting that even encrypted messaging applications are not immune to user-level compromise. A recent breakdown of why Signal users are being hacked despite the app's strong encryption illustrates the point clearly: attackers target the person, the device, or the account settings rather than the encryption protocol itself. A VPN would not have helped in those cases either.

A Practical Use-Case Framework

Rather than asking whether you should use a VPN, the better question is when it helps and when you need to reach for something else.

Use your VPN when connecting to public or untrusted Wi-Fi networks, when you want to limit IP-based tracking and profiling, when your real IP address could expose your physical location to a hostile party, or when you want to reduce the risk of DDoS targeting in online games or streams.

Reach for other tools when you are evaluating an email link before clicking it (use a link scanner or just navigate directly to the site), when you are assessing whether your accounts are secure (use a password manager and enable MFA), when you want protection from malware (use endpoint security software and keep systems patched), or when you are dealing with a targeted attack by a sophisticated adversary who has already identified you as a target.

What This Means For You

A VPN is a useful and legitimate tool. It belongs in a personal security setup, but it should not be the only thing in that setup, and it should not be expected to do jobs it was never designed for.

The threats that cause the most real-world harm, phishing, malware, account takeovers, and targeted exploitation, operate above the network layer. A VPN's encryption and IP masking are irrelevant to all of them.

The most effective approach is a layered one: use a VPN for the specific scenarios where it helps, and use purpose-built tools for the threats it cannot address. Understanding which tool handles which threat is the foundation of a security posture that actually holds up under pressure. Exploring specific real-world attack scenarios is a good next step for putting that framework into practice.