VPNs are excellent at what they do: encrypting your internet traffic, hiding your IP address, and preventing your ISP from monitoring your browsing. But VPN marketing often overpromises, creating a false sense of total protection. Understanding the limits of a VPN is just as important as understanding its benefits.
1. Malware and Viruses
A VPN encrypts the connection between your device and the VPN server. It does not inspect, scan, or filter the content that travels through that connection. If you download a file containing malware, the VPN will faithfully encrypt that malware in transit -- and then your device will faithfully install it.
VPNs are not antivirus software. They operate at the network layer, not the application layer. They cannot detect a trojan hidden in a PDF, a keylogger bundled with a cracked game, or ransomware masquerading as a legitimate download.
What to Do Instead
Use a reputable antivirus program alongside your VPN. Some VPNs include basic malware blocking (NordVPN's Threat Protection Pro, Surfshark's CleanWeb), but these work at the DNS level -- they block known malicious domains before your device connects to them. This is useful but does not replace full antivirus protection.
2. Phishing Attacks
Phishing is when an attacker tricks you into visiting a fake website that looks like a real one (fake bank login, fake email login, fake Amazon page) and entering your credentials. The fake site collects your username and password.
A VPN cannot protect you from phishing because the VPN has no way to know that the website you are visiting is fake. From the VPN's perspective, you are simply visiting a website -- it does not evaluate whether the website is legitimate or fraudulent. The encrypted tunnel works perfectly; the problem is what is at the end of the tunnel.
What to Do Instead
Always check the URL carefully before entering credentials. Use a password manager -- they will not autofill credentials on fake domains. Enable two-factor authentication (2FA) on every important account so that even if your password is stolen, the attacker cannot log in without your second factor. Be skeptical of emails that create urgency ('Your account will be suspended unless you verify now').
3. Account-Level Tracking
This is perhaps the most misunderstood limitation. When you are logged into Google, your search history is tied to your Google account -- not your IP address. Google does not need your IP to know what you search for. The same applies to Facebook, Amazon, Twitter, and every other service where you have an account.
A VPN hides your IP address from these services, which prevents IP-based geolocation and some cross-site tracking. But the moment you log in, the service knows exactly who you are, regardless of your IP. Your browsing session is tied to your account, and all your activity is logged under that identity.
What to Do Instead
Use separate browsers for different purposes: one for logged-in activities and another for anonymous browsing. Use privacy-focused alternatives: DuckDuckGo instead of Google Search, Brave or Firefox instead of Chrome, ProtonMail instead of Gmail. Disable activity tracking in your Google, Facebook, and Microsoft account settings. Consider using a service like SimpleLogin or Proton's email aliases to create unique email addresses for each service.
4. Data You Voluntarily Share
When you fill out a form with your name, email, phone number, or address, that data goes directly to the website's servers. A VPN encrypts the transmission so nobody can intercept it in transit, but the website at the other end receives everything you typed.
Social media is the biggest example: every post, photo, check-in, and comment you share is voluntarily given to the platform. A VPN does not anonymize your social media presence. If you post your location on Instagram while connected to a VPN, the VPN has not protected your location -- you just told everyone yourself.
What to Do Instead
Be deliberate about what personal information you share online. Use a disposable email address for websites you do not trust. Do not post real-time location data on social media. Remember that a VPN protects the pipe, not what you choose to put through it.
5. Device-Level Surveillance
If your device itself is compromised -- by a keylogger, screen recorder, stalkerware, or a government-level spyware tool like Pegasus -- a VPN cannot help. These tools operate on the device before your traffic reaches the VPN. A keylogger records every keystroke before it is encrypted. Screen recording captures what is on your screen regardless of network encryption.
Even without malware, your device's operating system collects significant telemetry data. Windows sends usage data to Microsoft. Android phones communicate constantly with Google's servers. A VPN encrypts this traffic but does not prevent it from being sent.
What to Do Instead
Keep your operating system and all apps updated. Do not install software from untrusted sources. Use full-disk encryption on your devices. Be extremely cautious of apps that request excessive permissions. If you suspect your device is compromised, no amount of VPN encryption will help -- the device itself needs to be secured first.
The Bottom Line
A VPN is one layer in a broader privacy and security strategy. It is excellent at hiding your IP, encrypting your traffic, and preventing ISP monitoring. But it cannot protect you from yourself -- from clicking phishing links, downloading malware, logging into accounts, sharing personal data, or using a compromised device.
The best approach is defense in depth: VPN + antivirus + password manager + 2FA + common sense. No single tool protects against everything, but together they cover each other's blind spots.
NordVPN's Threat Protection Pro adds DNS-level malware blocking and ad tracking protection on top of the VPN, covering two of the five limitations listed above. It is the closest you can get to a single tool that does it all.