- Key Takeaways
- How Does a VPN Protect?
- What VPNs Protect From
- 1. MitM Attacks
- 2. Packet Sniffing
- 3. Malware Injections
- 4. DNS Spoofing
- 5. Malicious Hotspots
- 6. DDoS Attacks
- 7. Remote Access Attacks
A VPN’s job is to keep you anonymous online by encrypting your internet traffic and hiding your real IP address. It does a great job of preventing snoopers — including your internet service provider and government surveillance agencies — from seeing your online traffic. However, does a VPN protect you from hackers?
That’s the question we’ll try to answer in this article.
Key Takeaways: VPN Protection From Hackers
- A VPN provides encryption and hides your IP address, which can protect you from many types of cyberattacks.
- VPNs can safeguard you against attacks that exploit network vulnerabilities (known as man-in-the-middle attacks), as well as DDoS attacks and other remote attacks.
- A VPN will not protect you from most forms of malware, social engineering (including phishing) and attacks exploiting software vulnerabilities.
- You need to use a multilayered approach to fully protect yourself online, including using antivirus software, a password manager and two-factor authentication.
A virtual private network, or VPN, is an essential tool for online protection. However, despite nearly 90% of U.S. citizens being familiar with VPNs, around 20% don’t understand the benefits of using them, and many still think that a VPN can protect them from any kind of cyberattack.
While that’s true for many online threats, a VPN service is not a magic hacker-repellent shield. There are many things that a VPN can’t protect you from, which is why our team of security experts have put together this guide to help clear the air. Read on to learn how a VPN keeps you safe and what it can and can’t protect you from.
Even though a VPN defends against eavesdropping, ISP tracking and man-in-the-middle attacks, you can still be hacked while using a VPN. A VPN can’t protect you against malware, social engineering, phishing, data leaks and software security flaws.
A VPN can indeed be hacked. A VPN app could have a software vulnerability that an attacker can exploit, or it could have a server hacked.
Most VPNs will not protect you from viruses, except for the few that come with full-fledged antivirus protection.
How Does a VPN Protect You From Hackers?
VPNs employ all kinds of advanced technologies to keep people from discovering your identity, but there are two main ways they protect your internet connection. First, a VPN hides your online activity from others by encrypting your internet connection. Then, it routes your traffic through a VPN server to change your IP address and hide your device information.
How a VPN Protects Your Internet Connection With Encryption
VPN encryption can be a bit difficult to explain, but the broad-strokes version is that a VPN uses complex algorithms to make your internet traffic look like nonsense. Without getting into the weeds, the encryption process is enabled by a VPN protocol that establishes the secure VPN connection between your device and the VPN server.
To secure the connection, the VPN service encrypts your traffic using an encryption protocol, scrambling your traffic and making it unintelligible to third parties. Below, you’ll see an image depicting how encrypted and unencrypted data looks. If you want a deeper dive into VPN encryption, you can check out our guide on VPN security or our VPN protocol guide.
Secure VPN Server Routing
Besides encrypting your traffic, a VPN also uses a secure server network to route your traffic. VPN stands for “virtual private network,” and this network consists of VPN servers and the devices connected to them. The network is virtual because the devices connect over the internet instead of physical cables, and it’s private because the connection happens through an encrypted tunnel.
When you connect to a VPN server, the VPN software first encrypts your data, which then travels through the internet to the VPN server, where it gets decrypted. The VPN server then accesses the internet on your behalf, acting as a middleman that keeps your identity secret.
Besides protecting you, accessing a VPN server in another country will make others think that you’re located there. This can be useful for unblocking streaming sites to gain access to geographically restricted content, like the U.S. Netflix library.
What Does a VPN Protect You From?
A VPN service can protect your internet-connected device from many types of threats. The encrypted connection and IP masking can prevent most forms of online tracking and surveillance, as well as cyberattacks that exploit an unprotected connection. The following list compiles the most prominent threats and cyberattacks a VPN can protect you from.
1. Man-in-the-Middle (MitM) Attacks
There’s always an inherent danger to using public WiFi networks without a VPN because an attacker on the same network might place themselves between your device and the online server it’s connecting to, performing what’s called a man-in-the-middle attack (or MitM attack). Positioned this way, an attacker can see and possibly manipulate all of your traffic, which we’ll explain next.
VPNs secure public WiFi connections and protect you against man-in-the-middle attacks by sending all of your data through an encrypted tunnel that secures data transmission between your device and the internet. This ensures that no one can see your traffic before it reaches the VPN server.
2. Packet Sniffing
Packet sniffing can be used to monitor and analyze the internet activity on a network. For example, our security experts use it to test VPNs for vulnerabilities. However, packet sniffing can also let an attacker see sensitive data like your login info and banking details, or any other data you input while connected to the public WiFi network.
A VPN prevents traffic analysis, which makes you impervious to packet sniffing, even when connecting to unsecured public WiFi networks.
3. Malware Injection Attacks
An attacker can also use packet sniffing to see traffic from websites to your device. Once an attacker has access to your incoming traffic, they can intercept it and inject it with malware that attacks your device.
VPNs can protect you from malware injection thanks to their powerful encryption, but some go the extra mile and provide malware blockers that block malicious websites at the DNS level, like CyberGhost does (read our CyberGhost review). Some even come with complete antivirus options, like NordVPN’s threat protection (read our NordVPN review).
4. DNS Spoofing (DNS Poisoning)
As you visit websites and interact with them, you send DNS requests to the websites’ servers. If an attacker can see your DNS requests, they can redirect you to a fake website. If you enter any sensitive information like payment card details into the website, the attacker will be able to see it in full, gaining access to your funds or other potentially dangerous information.
VPNs can keep you safe from DNS poisoning by encrypting your DNS requests and good providers like ExpressVPN and NordVPN even handle them through their own DNS servers (read our ExpressVPN review).
However, a VPN could have DNS leaks or accidentally disconnect. Having your VPN’s kill switch on at all times greatly reduces the risk of DNS leaks by shutting down your internet in the event your VPN disconnects.
5. Malicious WiFi Hotspots (Evil Twins)
You may have noticed a pattern by now: Using free WiFi networks without the protection of a VPN can be dangerous. This is especially so when you connect to a malicious WiFi hotspot, also known as an evil twin. Evil twins are fake WiFi hotspots with a similar name to another public network, like the public WiFi at a Starbucks.
When you’re connected to a fake WiFi hotspot, all your traffic is visible to the attacker, unless you’re using a VPN. Because a VPN encrypts your data before it leaves your device, you’ll be safe even if you mistakenly connect to a malicious hotspot.
6. Distributed Denial of Service (DDoS) Attacks
Although distributed denial of service (or DDoS) attacks usually hit websites and online services, they are frequently used in competitive online gaming to prevent an opponent from connecting to the game’s servers. A DDoS attack can happen if someone discovers your IP address, which is possible when you’re in the same game lobby.
A DDoS attack consists of a large network of bots simultaneously trying to communicate with your IP address, clogging your internet connection. Such attacks can cause your game to become unresponsive. A VPN hides your IP address, making it impossible for someone to target you while you’re connected.
7. Remote Access Attacks
Apart from DDoS attacks, all the other cyberattacks we listed could be considered remote access attacks. Remote attacks usually rely on exploiting security flaws in a network or software.
Other remote attacks not mentioned include port scanning, which targets unsecured ports in a network, and remote desktop protocol (RDP) attacks, which exploit flaws in the remote access protocol on Windows.
You probably get the picture by now, but it’s worth mentioning that a VPN can protect you from pretty much all remote attacks. No attacker can gain access to your device because your connection passes through an encrypted VPN tunnel.
What Will a VPN Not Protect You From?
Although VPNs are indispensable for online security, they can’t protect you from everything. Here are a few cyber-threats that a VPN can’t protect you from.
1. Malicious Software (Malware)
Unless it has a built-in malware blocker, a VPN won’t protect you from malware downloaded from the internet. Antivirus software is the only thing that can provide complete protection from malware. Here’s our list of the best VPNs with antivirus features if you need a recommendation.
2. Social Engineering & Phishing Attacks
Social engineering is probably the most powerful tool in a hacker’s arsenal. By using personal data, like your email, name, workplace and names of relatives, a hacker can send targeted attacks, such as phishing emails, that seem to come from a legitimate sender — like the IRS or your boss — most of the time assuming a threatening tone.
They will usually require you to either click on a malicious link, download a malware attachment, send money to a bank account or reply with your sensitive information, like your social security number. Because phishing attacks and other social engineering methods happen over email or other forms of communication, there’s nothing a VPN can do to protect you from them.
3. Data Leaks
If an online service keeps records of your login credentials, there’s a danger it might leak them. Data leaks are very frequent, and not even the rich and powerful are safe. A data leak usually happens due to either a successful phishing attack on a company employee, or a malicious staff member with a high level of access.
If your login credentials leak, you’ll lose access to your account, but if you have other online accounts that use the same password, you’ll likely lose access to those too. You can even have your entire browsing history exposed if the service has that data. Worse still, online payment services could leak your credit card info.
Although a VPN can’t protect you from data leaks, a password manager can help mitigate some of the fallout. Password managers can shield you from identity theft by generating a random strong password for every account you create. ExpressVPN is an excellent VPN that has an integrated password manager called ExpressVPN Keys (read our ExpressVPN Keys review).
4. Software Security Flaws
Software, including operating systems, can have serious flaws in their security. A skilled attacker could exploit software vulnerabilities to gain access to your device, install malware, and even lock your device and demand ransom (read our ransomware statistics article).
The most dangerous type of attack is a so-called zero-day attack, where a hacker exploits a vulnerability present at launch, before the software gets patched.
Keeping your software up to date can help you avoid these kinds of attacks, and that includes your operating system. If you’re reluctant to update your device’s software, at the very least watch out for updates that bring security patches.
5. Human Error
Even with the best VPN, antivirus and password manager, you can still fall prey to a cyberattack. Human error is one of the most prominent causes of cybersecurity failures, according to a report by IBM.
By visiting a malicious website, acting on a phishing email or inadvertently downloading an infected file, you could become the victim of a cyberattack, regardless of the cybersecurity tools you use.
Thankfully, there are things you can do to minimize the chance of that happening. You should always back up and password protect your files using a secure online backup service. Avoid installing unofficial apps, especially if you’ve torrented the installer file. Make sure to always use complex passwords and two-factor authentication to prevent anyone from accessing your accounts.
How to Find a Secure VPN Provider
Not all VPNs are created equal. In our years of reviewing and testing VPNs, we’ve developed certain criteria that we expect a VPN to pass before we can deem it secure.
The first thing to look out for is a basic security feature: a kill switch that disconnects you from the internet in case the VPN loses its connection to the server. Next, a good VPN supports various secure protocols, like OpenVPN and WireGuard, and avoids outdated ones like L2TP/IPsec.
Finally, you should confirm that a VPN has no leaks. You could try using a packet inspector yourself, though you could also just refer to our best VPN list; Our security experts regularly test VPNs and run multiple types of tests to make sure all of our recommendations are secure.
Are Free VPNs Secure?
If you thought that finding a secure VPN is difficult, it’s even harder to find a good free VPN. According to a study by Security.org, nearly two-thirds of free VPN users faced some kind of performance issue.
Although slow speeds are the most frequent complaint, 2% of participants experienced malware attempts, while 3% were concerned about identity theft. More concerning, a further 10% experienced bugs, which could make the VPN vulnerable to attacks.
Thankfully, there are a few good free VPNs out there. If you’re really strapped for cash, you can use our best free VPN list to find a recommendation, though keep in mind that all free VPNs come with some restrictions, whether it’s slow speeds, capped data or a limited selection of servers.
Final Thoughts: Virtual Private Network Protection
Remember, while a VPN can offer an important layer of security, it’s not a silver bullet. A VPN only enhances your online privacy and should be part of a multilayered approach to security, including using unique strong passwords, two-factor authentication, antivirus software and safe browsing habits.
While a VPN will hide your online activity and keep you safe from MitM type attacks — even while using unsecured public WiFi hotspots — it can’t protect you from most types of malicious software. Additionally, if you’re not careful, you can still become a victim of phishing. You could even fall prey to an attack that you just can’t defend against, like a zero-day attack.
Were you aware that a VPN can’t protect you from viruses? Have you used a VPN with a malware blocker? What measures do you take to stay safe online? Let us know in the comments below and, as always, thank you for reading.