7 red flags to look for when choosing a VPN

Smartphone connecting to VPN with TV screen blurred in the background
(Image credit: Shutterstock)

Go shopping for a new VPN and you'll probably focus on your top priorities. 'I'll have something fast, feature-packed, unblocks Netflix and is seriously cheap, please.'

But the problem is you're relying on the provider's website to honestly describe its features. And the worst VPNs, the most dishonest, are quite happy to feed you any old garbage if it persuades you to hand over your cash.

That's why you also need to look for warning signs, the key factors which indicate that this certain provider isn't the one for you. And we've found seven red flags to check whenever you choose a new VPN.

1. Broken website

Any VPN can have a great-looking website just by spending a few dollars on a professional template. Making that site work properly takes skill and resources, though, and spotting major problems can highlight VPNs with neither.

Does the site have broken links, for instance? If there's only one, and that's on an easily missed two-year-old support page, that's not a big deal. But if trying to access the Privacy Policy, or the Blog, or some other vital page gets you an 'error 404 - page not found', that's a red flag.

Sites which don't fully support secure HTTPS connections are another major concern. We recently saw a VPN site which allowed us to access its login page via an insecure HTTP connection, for instance, potentially exposing usernames and passwords to snoopers.

When you're visiting a VPN website for the first time, don't just look at the graphics and the overall design. Pay close attention, scroll to the bottom of the page, click plenty of links and see what happens. We're not telling you to read every word on every page (life really is too short), more click a link, scan the page for anything which looks wrong, click Back and repeat. Just 60 seconds spent on a website once-over can save you a lot of hassle later.

2. Overpromising

As all the data gets routed through the VPN, a robust provider is needed to keep up with your demands. After all, you paid for a certain level of bandwidth from your ISP, and a better VPN should be able to keep up with it, with minimal loss of throughput.

A bad VPN is often oversold, with servers that get overloaded. This then severely limits that bandwidth that can be used, translating to slow browsing, and frequent hiccups when trying to enjoy streaming content. 


(Image credit: OpturaDesign / Shutterstock)

3. No technical detail

Most top VPNs are proud of their service, and happy to give you plenty of detail on how it works. Browse the website and you'll get detail on the number of servers, the VPN protocols they support, the encryption types, all the different apps you can get, and the plethora of platforms on which you can set the VPN up manually.

Poor providers often won't go into any technical detail. Typically, that's because their service is so basic. If a VPN only supports one very old and insecure VPN protocol, for instance, it's not going to tell you that. Much easier to put '.UNCRACKABLE BANKING-GRADE ENCRYPTION!!!' on the website, and hope potential customers won't ask any questions.

There are one or two providers who do things differently. For example, TunnelBear provides very little technical detail because it's 100% focused on ease of use and appealing to VPN newbies, and that's fine with us. But for the most part, if a VPN website makes lots of huge promises but has nothing to back them up, that's a big fat red flag.

4. Identity crisis

Genuine VPN providers spend a lot of time building their brands and making sure you know who they are. But inexperienced or fraudulent VPNs either don't know how to do that, or don't care, and this can make for some very obvious red flags.

NordVPN's Google Play page is a great example of consistency. The app name begins NordVPN; the developer is Nord Security; the package name (the part of the URL after 'id=') is com.nordvpn.android, so includes 'nordvpn'; and the website, privacy policy link and email address all point to nordvpn.com.

Some VPNs might legitimately use a few different names. VPN Unlimited is run by KeepSolid, for instance, so you'll see both brands on the page. And that's fine, it's not a secret - the VPN Unlimited website mentions the KeepSolid name everywhere.

The real red flags begin to appear when there's no consistency at all. The VPN calls itself ReallyGreatVPN, for instance, but the package name is com.excellentvpn.com, and the website is freewebsite.com/myproject, and the email is vpn5427@gmail.com, and the privacy policy is somewhere else entirely. If you're left with precisely zero idea of who this provider really is, then it's probably not the service for you.

VPN illustration

(Image credit: Shutterstock)

5. Feeble support site

Don't sign up with a new VPN until you've taken a look at the support site. While you're browsing, imagine you were looking for help with setup, dropped connections, poor speeds or similar issues. Is there enough detail to answer your questions?

If there are very few articles, which don't cover the most common topics (installation issues, poor performance), and are only three or four sentences long, that's a red flag.

If the site has a search engine, use it to look for terms you'd expect to find: 'Netflix' if it claims to unblock the site, 'OpenVPN' or 'WireGuard' if it supports the protocols, anything relating to features the VPN claims to have. A good provider will have more articles than you expect; a poor VPN may have none at all.

It's important to be realistic, here. If you're signing up with a free Android VPN app, solely to unblock US YouTube, then it might not even have a website, let alone a support site, and that's probably okay. But if the provider claims to be a strong all-round VPN that competes with the best, but its support site is so poor that you feel you could do better, then that’s a red flag.

6. Copy-and-pasted privacy policy

Writing a detailed privacy policy takes time, knowledge, and real VPN and legal expertise. Providers who have none of these will take shortcuts, and they can be a real red flag.

If a privacy policy is very basic, just three or four sentences, that looks suspicious. Especially if it's just a bunch of empty 'we don't log, no, honestly' type promises. Legitimate policies aren't lengthy because providers want to annoy you: it's just not possible to give you the low-down on procedures in 100 words.

Sometimes there is no privacy policy. We've come across plenty of VPN apps with Play Store 'Privacy Policy' links which point to a blank page, or even worse, are broken links.

The really sneaky providers try to fool you by copying a privacy policy from another VPN, and passing it off as their own.

To check for this, browse the document for a sentence which seems to sum up the policy, and you think someone else might like to steal.
ExpressVPN's excellent privacy policy has this line, for instance: 'We designed our systems to not have sensitive data about our customers.' Short, eye-catching, sums everything up in a very few words: perfect.

Now copy and paste your target sentence into Google and see what comes up. That ExpressVPN line got us 200 hits, a few quoting it in reviews, but many from VPNs pretending the policy is their own work.

Can you really trust a VPN who can't be bothered to create a privacy policy and is happy to steal one from someone else? We'd say no: way too big a red flag for us.

7. No signs of life

Browse your VPN's website and look for any recent news or developments.

Is there a blog, for instance? Does the company have any social media accounts? When did they last post something? Look at the content of any posts. A good VPN posts interesting articles and service updates at least every month or two; a poor VPN recycles the same old 'special deal' posts and not much else. What do you see?

Check other areas for signs of activity. Look at the date of the current mobile releases in the app stores. Click the Help or Support link, look for a 'Recently added' section with the dates of any new articles.

These signs don't necessarily mean much in themselves. Windscribe has gone a very long time between some app updates, for instance, but it's still an excellent VPN.

But if there's no sign of life anywhere, no social media post for 18 months, the blog page is blank and there's not been any obvious changes for a very long time, that's a concern. It suggests the company either isn't interested in developing the service, or doesn't have the resources to do that. Whatever the reason, this isn't a company which deserves your long-term business.

Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.