Around a third of all internet users worldwide use a virtual private network, or VPN, according to a study by VPN company Surfshark. And why wouldn’t they? A VPN can boost your digital privacy by hiding your public IP address, assist you in fighting deteriorating global online freedom and help you save money on streaming by unblocking geo-restricted content from around the world.
However, the rise of VPNs has flooded the market with dodgy and fake VPN apps that might look legitimate on the surface but do absolutely nothing to protect your privacy. In fact, some of them are malicious, carefully designed to collect your data or even load malware onto your device.
While using a VPN is usually super simple, spotting a shady VPN can take a fair bit of expertise. You need to be clued up on privacy policies, technical-sounding features, and, most importantly, understand where a particular VPN service stands compared to the rest of the market. Discover the top nine red flags to look out for when shopping for a VPN.
1. Unclear or absent no-logs policy
The VPN you use can theoretically ascertain personal information, such as your public IP address. It can also keep a record of the websites you visit and the apps you use, including your email provider and banking company. That’s why it’s extremely important that the VPN service you use is ethical and that you trust the company. One of the ways VPN companies assure their users that they don’t collect sensitive information is through a no-logs policy. Essentially, a no-logs policy says your internet activity with a VPN enabled isn’t recorded and saved.
However, it can be tricky to dive into all of the fine print in a privacy policy, which is typically where many VPN companies discuss data retention practices. To keep things simple, make sure that a VPN’s no-logs policy isn’t too short, missing key details or overly technical — the latter may be an attempt to confuse you. A VPN also has no business collecting data such as bandwidth usage or internet activity logs.
A VPN that tells you it logs absolutely nothing is also a red flag. VPN companies may, in fact, log small bits of information that may be anonymized, such as when you connect/disconnect from the VPN and which VPN server you connect to. This helps the VPN company optimize performance. This information by itself should not be identifying or compromise your privacy.
2. No independent audits
While having a no-logs policy is non-negotiable, it’s just as important that a VPN backs up its privacy claims by submitting its no-logs policy to regular independent audits. A VPN privacy audit is when a VPN company invites a reputable third-party cybersecurity firm to inspect its claims.
Although VPN audits are the gold standard for ascertaining a VPN’s privacy credentials, they do not paint the full picture. That’s because they only suggest that a VPN doesn’t log any user data during the duration of the audit, not before or after. Audits — while crucial trust signals — can only state that there was no evidence of logging, not that none occurred at all before, during or after that audit. Still, we recommend picking VPNs that regularly undergo independent third-party audits, preferably on an annual basis.
3. Poor or no customer support, or a dead website
Despite how user-friendly VPNs have become, there’s always a chance you might run into an issue and need professional help. That’s why virtually all of the top VPNs provide dedicated customer support either via live chat or email — often both — along with an in-depth knowledge base on their website with detailed setup guides, troubleshooting FAQs and sometimes even a blog with company and industry news.
On the other hand, shady VPN apps may not give you the option to reach out at all. Even if they do, it may be illegitimate, like mostly communicating through an AI chatbot that dishes out unhelpful, automated responses. That’s because they’ll likely never pour in the resources required to have a lively website or a team of real human agents available to help you out. Their mission is accomplished the moment you fall for their fake promises and pay for a subscription.
However, it’s also worth noting that the presence of good customer support isn’t a surefire way of telling whether a VPN is legit. Some fake VPN manufacturers may intentionally leave shortcomings in their apps so you feel compelled to contact them. Then, the bad actors may pose as legitimate support agents to trick you into clicking phishing links or sharing personal information.
4. If it’s based in a privacy-unfriendly jurisdiction
A VPN’s jurisdiction has a massive say in whether it can actually boost your digital privacy, since various entities, like national-level intelligence agencies, can order companies to hand over sensitive user information. They may even issue gag orders that make it illegal for the VPN to inform its users that they’re being forced to log or share data.
Some jurisdictions, like India, make it mandatory for VPN companies to log and submit user data. That’s why it’s ill-advised to choose a VPN based in such privacy-invasive locations. The most secure VPNs go a step further and pull their physical servers from such countries, choosing to offer virtual servers instead.
Countries within the Five Eyes, Nine Eyes and 14 Eyes international data-sharing alliances may share data with one another, so you may be concerned about a VPN company’s jurisdiction in one of these regions. But as Mullvad explained, it doesn’t just matter whether or not your VPN’s home country is part of a data-sharing alliance, because that individual country’s laws as pretaining to VPN companies also make a difference.
For example, even though Mullvad is based in Sweden, which is a 14 Eyes country, Sweden has strong privacy laws, meaning Mullvad isn’t compelled to log user data. So even if an authority comes asking for sensitive information, the VPN wouldn’t have anything to hand over in the first place. This again highlights the importance of choosing a VPN with a strong, audited no-logs privacy policy.
5. Lacks strong encryption or core privacy and security features
A VPN without strong encryption is like a door without locks. Almost all high-quality VPNs use one of two encryption methods: AES-256 or ChaCha20. Both are strong enough to protect your data as it travels through the VPN tunnel, making it unreadable to prying eyes.
In addition to the encryption protocol, a VPN also uses a network (or internet) protocol. While there are several VPN protocols out there, look for a VPN that offers at least one of the main modern protocols: WireGuard, OpenVPN or IKEv2/IPSec. Although each comes with its own advantages and disadvantages — for example, OpenVPN is a bit slower than WireGuard but may offer better security — they’re all more than secure enough to keep you safe.
Note that some VPN companies provide proprietary VPN protocols. For instance, NordVPN offers its NordLynx and NordWhisper, Proton VPN has Stealth and ExpressVPN includes Lightway. So long as the VPN protocol uses modern encryption and the company has undergone an audit, you should be fine.
If a VPN relies on outdated protocols such as L2TP, SSTP or PPTP, which are no longer considered secure, or if a VPN doesn’t explicitly mention the protocols it uses, you’re better off binning it from your list of considerations.
Furthermore, it’s important to make sure your VPN provider has core privacy features such as a kill switch and DNS leak protection. A kill switch immediately disconnects you from the internet if your VPN connection accidentally fails, thereby preventing your internet traffic from leaking outside the VPN tunnel. Leak protection, on the other hand, helps to hide your public IP address, DNS requests or IPv6 traffic from leaking outside the encrypted tunnel.
6. Unrealistic claims
A VPN is undeniably a privacy-boosting tool, but it’s important to cut through the exaggerated VPN marketing lingo and understand that it’s not a do-it-all internet security solution.
For example, while a VPN like ExpressVPN can protect you from select threats, like an adversary-in-the-middle attack, it can’t realistically stop you from clicking on a phishing link and entering your sensitive information or guard against malware. Some VPN companies offer bundles that include other cybersecurity apps such as antivirus software, a password manager and identity theft protection, but a VPN itself is a privacy tool, not a security app. If you need a VPN with malware protection, consider one of the best VPNs with antivirus.
Likewise, if you find a VPN that claims to provide total anonymity on public Wi-Fi — or at all — that’s a red flag. While a VPN on public Wi-Fi can hide your online activities and help you steer clear of certain adversary-in-the-middle attacks, it does not completely anonymize you online. A bad actor on a compromised public Wi-Fi hotspot may still be able to see which websites or apps you use. Plus, using a VPN does little to hide your identity if you log in to services like Google, Meta or your bank using your real credentials — Google and Meta may still be able to track your identity based on other fingerprints, even if your public IP address is masked by a VPN.
Other examples of over-the-top, unrealistic claims include guaranteeing to unblock every streaming platform in the world, improving your internet speeds by up to four times or detecting and protecting you from any form of malware and trackers. Unless a VPN specifically offers antivirus software and a tracker blocker, its claims to accomplish these feats may be a red flag.
7. Beware of free VPNs
Not all free VPNs are shady, but many of them are. According to a study, nearly two-thirds of free VPNs put your data at risk. Earlier in 2025, a popular free Chrome VPN extension was caught spying on its users’ online activities. As with any VPN you consider, examine the provider’s privacy policy to understand how it claims to handle your data. Generally, if you aren’t paying money, you may be paying by sacrificing your data, privacy, security or getting bombarded with ads.
We also recommend questioning the company’s intent behind offering a no-cost product. Reputable providers design their free VPNs to give new users a taste of their legitimate service and impress them enough to upgrade to the paid plan — which is where they actually make money. This is also why even the best free VPNs — Proton VPN is the only free VPN we recommend — often lack features, like simultaneous connections, the ability to use certain servers and monthly bandwidth.
Even though Proton VPN’s free plan offers unlimited data, you won’t get a huge selection of servers, unblocking capabilities or standout privacy features such as Secure Core servers that provide even more privacy than a standard VPN connection. Those are reserved for those who pay. The upside is that the free version of Proton VPN has the same strong privacy credentials as the company’s paid service, so you don’t have to worry about trading your privacy for a free server.
On the other hand, if a VPN doesn’t have a paid plan to sell you, chances are it’ll log your sensitive information and online activities and sell it to third parties like data brokers or advertisers. After all, it has to turn a profit somehow, and unlike Proton VPN, if there are no subscription fees and you’re not paying, you may be the product.
8. Poor performance
A VPN’s main job is to protect your privacy, but that shouldn’t come at the cost of your online experience. If you find your VPN slows you down even though you’ve invested in a fast home internet connection, it could be a red flag. That’s because good VPNs are actually capable of improving your online speeds. They cloak your public IP and hide your online activities from ISPs, which sometimes throttle speeds, particularly during high-bandwidth activities such as streaming or gaming.
Aside from weak IP-cloaking capabilities, a shady VPN’s poor performance could also point to a low server count. Unlike the fastest VPNs, which we narrowed down after hours of in-depth speed testing, fake VPNs may not invest in a global server network. As a result, you might not have a wealth of IP address options, and you may also have to tackle congested servers. During peak hours, you might not be able to connect to a server at all.
Still, some legitimate VPNs are slow and offer underwhelming performance. In our 2025 testing, we were disappointed in PIA’s lackluster internet download speeds as well as many CAPTCHAs. So if your VPN has poor performance, you’ll need to do a bit of extra research and look for other signs to determine if it’s legit or not.
9. App permissions
Invasive app permissions are a major red flag to look out for before downloading an app. A VPN app asking for access to your internet connection is perfectly reasonable since it absolutely needs that to function. However, if it asks for access to your photos or media library, contacts, microphone, camera or other sensitive data, it could be an alarming sign. Aside from logging your online activities, fake VPNs can also snoop on your device to steal and sell every bit of personal information they can.