- The perfect portable power station for all my adventures is $100 off
- The 60+ best early Presidents' Day tech deals live now: Amazon, Walmart, Best Buy, and more
- Showing memory usage in Linux by process and user
- Nvidia partners with cybersecurity vendors for real-time monitoring
- Perplexity is the AI tool Google wishes Gemini could be
10 common dangers VPNs won't protect you from online – and how to avoid them
VPNs are a hot topic among ZDNET readers. Many of you use VPNs to protect your communications, protect your privacy or location, or to location-shift your apparent physical address (which may or may not violate various sites’ terms of service).
Also: Is a VPN-ready router the ultimate Wi-Fi upgrade? I tested one to find out
If you’re not familiar with what a VPN does, my VPN explainer will give you a really good understanding. The key thing to keep in mind is that a VPN encrypts your connection from your computer to the VPN servers. That’s all.
VPNs don’t change what happens on the websites you visit, they don’t protect what you do on those sites, they don’t protect what happens on your computer. VPNs are merely a tunnel. Do not ascribe magical protective powers to them, because VPNs can’t protect you from doing stupid things online.
What follows are 10 (of the oh-so-many) ill-advised things folks do online that VPNs can’t protect them from.
1. Entering sensitive information on an HTTP site
Google and browser makers have pushed really hard to secure the HTTP protocol, which is why most web addresses today begin with the https: prefix. Getting SSL certificates, and securing websites, has become much easier in recent years, with most hosting providers making HTTPS security an easy default.
Also: Why you don’t need to pay for antivirus software anymore
But there are still many older or poorly-maintained websites that haven’t gone through the conversion to secured HTTP. Many of those sites are community sites, small business sites, club sites, and organization sites like those run by alumni associations. What makes this a real risk is these are often sites run by groups you trust. They’re also sites where you’re likely to enter personal information, even if it’s just keeping your membership information current.
Nothing in a VPN will prevent you from posting to an unsecured site.
2. Entering personal information on a hacked or malicious site
This is a corollary to #1 above. Even if a site is using HTTPS protocol, even if there’s that little lock icon on the browser bar, the site itself might be malicious or corrupted. Since you may not know that a normally trusted site has been hacked, I recommend you regularly check your bank accounts to be sure you haven’t been the victim of fraud.
Also: The single best way to protect yourself against credit card fraud
Use caution where you provide personal identifying information. Use caution where you enter financial information. Sites that appear legitimate may have been hacked. There are also sites that you know seem a bit problematic.
Nothing in a VPN will prevent you from entering personal information on a hacked or malicious site.
3. Downloading malware
Speaking of insecure or poorly-maintained websites, those are also the sites that may well be corrupted by malware. Many malware infections come from trusted sites, so you don’t have to be visiting something prurient or illegal to get infected.
Fortunately, today’s operating systems and updated browsers do a fairly good job of malware protection, but you have to make sure your systems are up-to-date, otherwise new infections might sneak by.
Also: Why rebooting your phone daily is your best defense against zero-click hackers
Nothing in a VPN will prevent you from downloading a malware payload.
4. Ignoring software and security updates
Speaking of ignoring updates, make sure you do updates. Operating systems and browsers do a very good job of intercepting malware, but only if they’re current. This is an arms race, where the bad guys are constantly looking for exploits.
If an exploit is found by a bad actor, there’s usually a very short window of time before the OS or browser vendors plug that exploit in the form of a patch. But if you don’t update, you won’t have that patch, and you’ll continue to be vulnerable.
If you’re not sure you can keep up with the updates, most systems allow you to turn on auto-updates. Maybe that’s the best path for you to take.
Nothing in a VPN will update your systems for you.
5. Installing shady browser extensions
Here’s the thing. Browser extensions that were once just fine can sometimes get updates that then contain malware payloads. That might be because the extension got hacked, or it might be because the extension was initially posted to gain an audience and was then corrupted on purpose by its owner.
Also: The top 10 brands exploited in phishing attacks – and how to protect yourself
Right after New Year’s, my Chrome browser informed me that I was running an extension that might have been unsafe. It was just a page reader that I had used on and off for years. But suddenly, it was unsafe.
Nothing in a VPN would have prevented that browser extension from turning to the dark side.
6. Having sloppy password hygiene
Do you use the same password everywhere? Do you use something short and easy to remember? Are you using the name of a pet or a child? Do you use “123456” as a password? Are you one of those hotshots who use the word “password” as your password?
Stop. It.
Also: 7 essential password rules to follow, according to security experts
Passwords may be giving way to passkeys, but the transition is far from done. Only a small percentage of sites accept passkeys, passkeys are still somewhat problematic, and of the sites that implement passkeys, some do so in weirdly unhelpful ways.
So use strong passwords. Use a different password for every site. And remember that while your VPN might protect your connection from your computer to their servers, nothing in a VPN will make your password unguessable, especially if your passwords are all “password.”
Nothing in a VPN will protect you from using bad passwords.
7. Ignoring multifactor authentication
I recently got an email from a cloud service I rely upon every day. The email informed me that someone had requested a password reset on my account. I get some sort of notice on a regular basis about someone trying to break into one account or another. So far, I’ve been safe because I use multifactor authentication.
That means that even if someone knows my username and somehow gets my password, they can’t get into my accounts. Using passwords alone is far from safe. Some sites store passwords without encrypting them. If they’re sloppy in password management, they’re likely to be sloppy in terms of breach protection. Once your passwords are leaked to the web through a breach, it’s only a matter of time before someone tries using them on your accounts.
Also: The best security keys of 2025: Expert tested
That’s where multifactor authentication comes in. It adds a second factor to the login process – a code texted to your phone for example. Without having access to that second factor, even if a bad actor knows your password, they can’t log in.
But you have to set that up for all your accounts that will allow it.
Nothing in a VPN will prevent hackers from using a stolen password and accessing your accounts if you don’t have second factor. And a VPN will not make you set up additional-factor authentications for all your accounts.
8. Opening potentially malicious email attachments
One of the most prevalent ways malware gets onto computer systems is when a user opens an email attachment. Clicking on email attachments often causes the system to oh-so-helpfully run the attachment, whether that’s opening something like Excel to read a spreadsheet, opening a PDF viewer to read a PDF, or even just running the attachment as a program.
If you fall prey to the lure of attachments, very bad things can happen. Nothing in a VPN will keep you from clicking on a malicious attachment or prevent it from running.
9. Getting fooled by phishing emails
Phishing emails are designed by their perpetrators to fool their victims. I got one the other day that purported to be from PayPal. Many of the links looked like they were actual PayPal links (even if you copied the link and pasted it into a text editor to inspect). But the email was clearly some form of spurious email intended to fool its victim into taking an unsafe action.
Also: Did you get a fake McAfee or Norton invoice? How the scam works (and what not to do)
Fortunately, modern email managers and browsers do their best to block phishing emails, but many do get through anyway. You need to use your Spidey-sense to have situational awareness when going through your email.
Nothing in a VPN will prevent you from getting a phishing email or from acting on the grift the message may contain.
10. Getting ripped off online
Caveat emptor. Buyer beware. When you order something online, you’re always taking something of a risk. Services like Amazon and eBay do their best to reduce the risk by offering generous returns or buyer safety guarantees, but the risk is always there.
As part of my job, I often have to sign up and pay for cloud services, some of very dubious origins. Since there’s no way I’m going to give them my own credit card, I’ve taken to using Privacy.com to create one-time use, dollar-limited cards. That way, the worst that can happen is that I lose the cost of a one-month payment (which has happened, but thankfully quite rarely).
Nothing in a VPN will prevent you from giving your card number to the wrong people or getting scammed. Use tools like Privacy and services like eBay, Amazon, and PayPal to help mitigate those risks. You can also try disputing charges on your credit card.
What do you think?
Have you ever assumed your VPN was protecting you from more than it actually does? Which of these common online mistakes surprised you the most? Do you use additional security measures beyond a VPN, like password managers or multifactor authentication? Have you ever fallen for a phishing scam or downloaded malware despite thinking you were protected? Share your thoughts and experiences in the comments below.
You can follow my day-to-day project updates on social media. Be sure to subscribe to my weekly update newsletter, and follow me on Twitter/X at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, on Bluesky at @DavidGewirtz.com, and on YouTube at YouTube.com/DavidGewirtzTV.
