VPNs help security when the main risk is someone watching your network connection (like a café Wi-Fi snooper or your ISP). They don’t help when the risk is what happens on your device or inside your accounts (phishing, malware, weak passwords, trackers, or a hacked website).

What a VPN actually does (in plain language)

A VPN creates an encrypted “tunnel” from your device to a VPN company’s server. Your internet provider (and most people on the same local network) can see that you’re connected to a VPN, but they can’t easily read the traffic inside the tunnel. After your traffic reaches the VPN server, it exits to the wider internet from there, so websites see the VPN server’s IP address instead of your home/hotel IP. (cloudflare.com)

That last part is the tradeoff most people miss: a VPN doesn’t remove trust—it moves it. Instead of your ISP being in the best position to observe your connections, the VPN provider is. (cloudflare.com)

When a VPN does help with security

1) Risk: someone on the same Wi-Fi tries to spy or tamper with traffic

On open or poorly secured networks (some public Wi-Fi, shared apartment routers, certain hotel setups), the local network can be a hostile place. A VPN makes it much harder for a nearby attacker to see what your device is sending and receiving, because your device is mostly talking through one encrypted tunnel. This is most useful for apps or devices that still make insecure connections, or for reducing exposure to local-network “tricks” aimed at monitoring you. (cloudflare.com)

Important nuance: many modern websites already use HTTPS, which encrypts content between your browser and the site. Even then, a VPN can still reduce what the local network learns about your connections (because your network mostly sees “VPN traffic” rather than lots of separate destinations). (cloudflare.com)

2) Risk: your ISP can profile your browsing patterns

Without a VPN, your ISP is well placed to observe where your device connects and when, and to associate that with your account and location. With a VPN, your ISP mainly sees an encrypted connection to the VPN service. This doesn’t make you “invisible,” but it can reduce ISP-level visibility into your destination traffic patterns. (Mozilla)

3) Risk: you need a safer “bridge” back to a private network (work/school/home)

Many organizations use VPNs so remote users can reach internal systems that are not exposed to the public internet. In that scenario, the VPN’s security benefit is straightforward: it’s an authenticated, encrypted path into a private network that would otherwise be unreachable or unsafe to expose directly. Corporate guidance often emphasizes using standards-based VPNs, patching quickly, and adding strong authentication because VPNs can be high-value targets. (cisa.gov)

4) Risk: IP-based targeting that depends on your current network

Some attacks and account protections use IP reputation and location signals. A VPN can change what IP address websites see, which can sometimes reduce the usefulness of IP-based targeting tied to your current network (like a sketchy shared Wi-Fi). This is not a guarantee of safety; it’s just changing one signal that outsiders can easily see. (cloudflare.com)

When a VPN does not help (common misunderstandings)

1) Phishing is still phishing

If a scam page convinces someone to type in a password or a one-time code, a VPN can’t fix that. The connection can be perfectly encrypted and still lead to the wrong place. A VPN protects the path your data travels on certain networks; it doesn’t verify that a site or message is genuine. (This is why security guides treat VPNs as a tool for specific situations, not a universal shield.) (ssd.eff.org)

2) Malware, bad downloads, and infected devices

If the device itself is compromised, a VPN is mostly irrelevant. Malware runs on your device, so it can read what you type, steal browser cookies, access saved passwords, or send data out through the VPN tunnel just as easily as through a normal connection. A VPN is not antivirus, not an app permission system, and not a device cleanup tool. (ssd.eff.org)

3) It won’t stop tracking by websites and ad networks

A lot of tracking does not rely on your IP address. Cookies, device fingerprinting, logged-in accounts, and embedded trackers can still recognize you across sessions—even if you change IPs. A VPN might slightly reduce easy IP-based correlation, but it doesn’t remove the bigger identifiers that most tracking uses. (ssd.eff.org)

4) It does not create true anonymity

A VPN hides your IP from the sites you visit, but it doesn’t erase who you are if you log in, reuse identifiers, or can be correlated by timing and behavior. Also, your VPN provider can potentially see metadata about where your traffic goes, and your privacy depends heavily on that provider’s policies and technical design. Treat “anonymous VPN” claims as marketing unless you have a concrete reason to trust them. (ssd.eff.org)

5) It doesn’t magically “upgrade” encryption everywhere

A VPN encrypts traffic between your device and the VPN server. It does not automatically encrypt the leg from the VPN server to the final website unless the app/site uses its own encryption (like HTTPS). In practice, much of the web is already HTTPS, so the VPN often changes who can observe your connection metadata more than it changes whether the content is encrypted end-to-end. (cloudflare.com)

The “who can see what” cheat sheet

• Without a VPN: your ISP and local network are well positioned to observe your connections; websites see your IP. (cloudflare.com)
• With a VPN: your ISP/local network mainly see an encrypted tunnel to the VPN; websites see the VPN’s IP; the VPN provider is now the central observer of your outbound connections. (cloudflare.com)

Thinking this way keeps the decision simple: a VPN is useful when the network you’re on is the problem, and much less useful when the device/account is the problem.

How VPNs can fail in real life (and what that means)

VPN apps are software, and software can misbehave. Some failures are basic—like a momentary disconnect that lets traffic continue outside the tunnel. Others are more technical—like certain local-network techniques that can push some traffic around the VPN under specific conditions. Security researchers and digital rights groups have discussed examples where a local attacker can force some traffic to bypass VPN protections, which matters most on hostile networks. (Electronic Frontier Foundation)

This doesn’t mean “VPNs are useless.” It means the benefit is situational and depends on correct configuration, up-to-date software, and realistic expectations. (Electronic Frontier Foundation)

Practical decision rules (plain-language scenarios)

Use a VPN when:

• You’re on public/shared Wi-Fi you don’t control and you want to reduce local-network exposure. (cloudflare.com)
• You want to reduce ISP-level visibility into what destinations your device contacts. (Mozilla)
• You need secure access into a private network for work/school (and they require it). (cisa.gov)

Don’t rely on a VPN when:

• You’re worried about phishing, scams, or fake login pages. (ssd.eff.org)
• You suspect malware, sketchy downloads, or a compromised device. (ssd.eff.org)
• You want to avoid ad tracking or “be anonymous” while staying logged into identifiable accounts. (ssd.eff.org)

What to look for if the VPN is for security (not hype)

A security-useful VPN is one you can consistently keep updated and correctly enabled, from a provider with clear documentation about what they log and how the tunnel works. Also pay attention to whether it protects the whole device or only one app/browser—some “VPN-like” features only cover traffic inside a specific application. (support.mozilla.org)

For work VPNs, follow organizational guidance closely: hardening, prompt patching, and strong authentication (like multi-factor) matter because VPN gateways are high-value targets. (cisa.gov)

Why does this matter

People buy VPNs expecting a universal safety shield, then skip the protections that actually stop common account takeovers and device compromise. Using a VPN for the right threats—and not trusting it for the wrong ones—reduces risk without adding false confidence.

Sources

• Cloudflare Learning Center: What is a VPN? (cloudflare.com)
• EFF: Choosing the VPN That’s Right for You (ssd.eff.org)
• EFF: A Wider View on TunnelVision and VPN Advice (Electronic Frontier Foundation)
• CISA Alert: Selecting and Hardening VPNs (cisa.gov)
• Mozilla Support: What is Mozilla VPN and how does it work? (support.mozilla.org)

Next Step: https://cyberspark.blog/2026/01/20/baseline-account-protection-settings-for-every-account/