Finding the best VPN seems easy, at least in theory. Browse a few provider websites, compare key details like the number of locations and the price, and you can be signed up within minutes.
But beware: some providers will stretch the truth to breaking point in the claims they'll make about their service. What you seem to be promised on the website doesn't always match up with what you'll actually get.
Don't let this stop you shopping for the best VPN deals – there are plenty of good services around. But it's important to understand what's going on in terms of sales spin in some cases. To help out, we've listed seven particularly sneaky tricks you can look out for, and how you can avoid them. Good luck, and be careful out there.
- We’ve also got a guide on how to recognize a bad VPN
The #1 VPN in the world right now
We have reviewed more than one hundred VPN providers, both free and paid, and our top recommendation right now is ExpressVPN. That's because, while it's a paid option, its speed and robustness as well as the servers it has in nearly 100 countries worldwide and accommodates almost any of your devices.
It also comes with a 30-day no-quibble money back guarantee and we highly recommend trying it over any free options - plus if you use the following link, you can claim 3 months free with an annual plan!
1. Outdated server lists
A VPN's location list is one of its key selling points, and companies know that the higher the number of servers, locations and countries they can offer, the more interest they're going to attract.
Unfortunately, you can't always believe what you read. The totals you'll see on the website may be outdated, and won't always reflect what you'll get in the client. Sometimes this can work in your favor (maybe a firm has recently added more servers), but occasionally a VPN might no longer support a few locations, but ‘forget’ that they're still listed on the website.
An even sneakier, but less common trick, is to offer servers which support so few protocols that they only work with specific devices. You might find that although you've been promised an Australian server, for instance, it's not available on desktops.
It's difficult to detect this trick in advance, but you can at least check a service for its consistency. Look at any server, location and country totals on the front page of the website, and compare them to other places on the site (a server status page, a plan comparison table, a features page, maybe the store pages for any iOS and Android apps). Any differences in numbers you spot might be due to sloppiness more than malice, but that's still worth noting.
If you sign up for any of the best VPN free trials anyway, don't assume the location list on the website matches what you'll get in real life. Take the time to scroll through the server list and confirm the service offers everything it has promised.
Above all, remember than when it comes to servers it’s about quality as well as quantity. Admittedly having thousands of servers to choose from can come in useful when you’re trying to stream online video services like Netflix but this isn’t necessarily what’s best for your privacy.
This is because many VPN providers will rent server space from third-parties in order to offer their service. In other words, they’re trusting other people with your data. In an ideal world, all VPN providers would have their own, which only they controlled, so trust wouldn’t be such an issue.
In reality, you may have to compromise a little. Look for providers that at least use bare metal hosting, so they at least aren’t sharing their servers with other companies. For instance, ProtonVPN does this for all its core servers where user account information is held.
2. Misleading ‘no logging’ claims
Privacy is a top concern for many VPN users, so it's no surprise that providers attempt to reassure them with blanket ‘no logging’ claims.
A VPN firm might promise that there are ‘no logs kept of any kind, ever’ on the homepage. Sometimes you'll see additional claims that the company doesn’t log the sites you visit, and that it can’t see anything you're doing online. The core of this may well be true, but often you're not being told the whole story.
Many services keep session logs which might record the times you connect, maybe the bandwidth used, the incoming IP address, device details, or the outgoing IP address. That could leave a trail which allows any of your internet actions to be linked back to you, at least in theory (someone would need access to examine the logs, first).
VPN Providers are sometimes open about collecting this kind of information but it can be done in such a way that there’s no link to your user account through assigning you a random ID.
This can also be helpful for the VPN provider to identify anyone abusing the service, if they've received complaints, so is not necessarily a cause for concern.
Still, this kind of trickery is so widespread that we'd recommend you ignore all the front-page no logging claims entirely. The best approach is to start by assuming every VPN keeps (or can keep) some form of logs, unless they can come up with a very convincing case that shows otherwise.
When it comes to logging, the gold standard should always be reputable VPN providers who regularly submit themselves to audits by trusted third parties such as ExpressVPN and NordVPN. This means you don’t have to take their word for it but can verify the claims for yourself.
You should be particularly worried if you’re considering using a “free” VPN service, as these providers have to make money somehow. Many do this by selling user data. EVen the honest ones are usually forced to limit users' downloads or ‘throttle’ certain types of traffic. Naturally they can only do this by examining what you’re downloading, so try to stick to any of the best free VPN services or better yet, use a trusted paid VPN provider.
3. Dubious app store reviews
The best mobile VPN apps often have very little information on their abilities, so you'll probably want to check out the ratings and reviews of other users. But beware: VPN providers know how important these can be, and the less honest will use a range of tricks to boost their scores.
For example, we've seen services which promise benefits such as extra bandwidth to users who give the app a five-star rating.
Other free apps are a little less blatant, but still try to steer you in the same direction. One recent example asked us if we'd like to remove a service limit, and when we tapped 'Yes', asked us for a rating. It's not compulsory and you don't have to give the app a top score, but many users will, and that's enough to skew the figures.
Our best advice is that you shouldn’t put any great weight on high app scores. If you're curious, though, take some time to scroll through previous reviews. If an app is begging or offering incentives for good reviews, a few users will probably mention that. You should never choose (or reject) a VPN service on app reviews alone, though.
In September 2022, a cybersecurity firm discovered that an Iranian state-backed hacker group had even managed to inject spyware into people’s devices through persuading them to download Android mobile VPN apps. The scary part of this is that the mobile apps actually did function as advertised in that they connected users to a VPN but all the time they were secretly transmitting information without users’ knowledge or consent. All the more worrying one such app even made its way into the Google Play store, which is meant to check for this sort of thing.
Apple users may feel smug about using iOS, which is generally less prone to malware given that the company creates both the operating system and the hardware it runs on. Still, in August 2022 a Security Researcher discovered malware lurking in no less than seven apps, in Apple’s official store. Naturally they moved quickly to remove these but the point remains that the vetting process for Apple apps isn’t perfect.
Given that you can’t automatically trust the App store, make sure to read reviews of VPN mobile ‘client’ software and if you’re unsure, don’t download.
If your VPN provider supports the OpenVPN protocol, then you can use the free and open source app OpenVPN Connect to use their service. As the source code for such apps can be viewed by anyone, it makes it much harder to code in any malicious ‘backdoors’.
4. Not-so-special deals
Head off to most VPN pricing pages and you'll find plenty of ‘special deals’ which usually aren't special at all. For all the ‘50% off’ splashes, the flash deals or the ‘strictly limited’ offers – which sometimes require that you sign up within a few minutes to get the special price – many VPN provider's pricing schemes don't change much at all.
If you're wondering whether that deal really will expire tonight, your first port of call should be a reliable, unbiased tech-oriented website like TechRadar which has in-depth reviews of your chosen provider. Any good reviewer will talk about pricing and any special offers available.
If you’re still not sure, you can enter the VPN website’s URL into the Internet Archive’s Wayback Machine to check what the prices were like a few months ago. The offer might not be as limited as the provider pretends.
Even when an apparent bargain appears, stop for a moment and think about it. VPNs occasionally offer lifetime subscriptions for amazing prices, which we've seen as low as $40 (£30) or so, but this isn't a sustainable business model.
Unless it's a genuinely short-term offer from a well-known, big-name provider, we'd treat these offers as a warning more than an opportunity. That lifetime licence won't help you much if the provider goes bust a month or two later.
Even if the VPN provider limps along, you have to wonder how much money they’re spending on upgrading servers, giving you extra bandwidth and improving security? The answer is likely to be they’re treading water, so won’t be able to offer you a reliable, safe service.
If you're still struggling, then our round up of the best cheap VPN services will help you discover the ones that keep things affordable all year around.
5. Fake server status information
Every good VPN should display a list of its servers, but some companies go a little further, also including some kind of server load or health indicator. These figures almost always seem to show very low load figures, so presumably these organizations are hoping you'll be impressed by all the apparently spare capacity.
On the face of it, this seems like a good idea, but we're unsure how meaningful the figures really are. What are they actually measuring? How are they calculated? How up-to-date are they? No-one ever seems to explain.
And although we're not saying all, or even most of the pages are misleading, we've come across a few which have tried to fool users. One was a simple static HTML page which displayed the same low figures all the time, whenever you visited. A slightly smarter page seemed to use random values, although as usual they were all reassuringly low.
If you come across one of these pages, try forcing a refresh and look to see what, if anything, changes. Revisit the page over the course of a day to see if load increases at peak times, as you would expect. Also, enter the page URL at archive.org and again compare the values.
Whatever this tells you, look for some explanation of what these load or usage figures actually mean. If there isn't one, ignore them – they're just marketing.
The acid test when it comes to servers will naturally be when you use them. If you’re using the VPN provider’s “client” software they will normally switch you to a different server in order to maintain a reliable, fast connection for you.
The reliability of your server connection (and to some extent its speed) will also depend on the type of VPN protocol you’re using. For instance Nordlynx from NordVPN protocol, which is itself based on Wireguard, offers some lightning fast speeds relative to older protocols.
Major VPN providers will also sometimes offer you servers optimised for certain tasks like P2P downloads. If you use them for another purpose e.g. streaming video, they may not perform as well. Check your provider’s server page to find one that’s suited to your needs.
6. Useless refunds
Many VPNs won't allow you to try before you buy, and instead ask you to pay upfront, but promise a refund if you're unhappy.
Occasionally a service will try to make this sound better by extending the refund over a long period. Around seven days is normal, but we've seen some providers offer 14 days, or even 30.
While this seems reasonable, there are sometimes sneaky catches which can make it difficult, or even impossible, to get your money back.
The worst will place strict limits on your service use. They might say you only qualify for a refund if you've used less than a small amount of bandwidth (sometimes just a few hundred megabytes), or have connected for only a small number of times. We've used up our entire refund allowance for some VPNs with a few minutes of testing.
You should also remember what you learned earlier: if a VPN provider is placing any kind of limit on your downloads that necessarily means they’ve been monitoring your connection. This isn’t good for your privacy, even if they just counted the number of data packets.
Other services say you can only ask for your money back if the service hasn’t met ‘reasonable expectations’. Of course, the company gets to decide what's reasonable, and unless the VPN was a total disaster (i.e. you never successfully connected once) there's a chance the firm could refuse your request.
To avoid this, check the small print before you sign up. Sometimes there's a refund policy link, and otherwise, any details are often mentioned in the terms of service or in the FAQ. Restrictions in the small print won't always matter – a 2GB bandwidth limit gives you plenty of time for testing – but in general, the fewer refund conditions in place, the better.
Some VPN providers such as ProtonVPN offer both a free and a paid tier to let you try out the service before paying up. Still, if there are premium options only available to subscribers make sure to take the same precautions as for a fully paid-up service by carefully reading the Terms and Conditions before signing up.
7. Stolen small print
To find out more, browse the policy and look for a line which seems specific to the business. Here's a good example which describes a fine detail of how the VPN works: "<VPN_NAME> assigns a unique identifier to each User of the Service, but <VPN_NAME> does not tie these unique identifiers to the Personal Information of Users."
Now use Google to search for a chunk of this which doesn't include the company name, like "does not tie these unique identifiers to the Personal Information of Users", and look for any hits. Make sure to include the words within quote marks “”, which tells Google to look for these exact words.
We regularly find text shows up on multiple VPN sites, and sometimes there are innocent explanations. Each VPN might be run by (or reselling) the same service, maybe. Or perhaps the current site wrote the original policy and everyone else copied it.
But if you're looking at some brand new app you've never heard about before, and it has copy-and-pasted key small print from one of the big VPN companies, then be careful. That suggests to us that the organization is creating a website to give you what you want to see, rather than tell you the truth, and that leaves us with a big question: what else on the VPN’s site might be fake?
There’s absolutely no reason for a legitimate VPN service to steal another’s wording : it suggests at the very least they’re being lazy. Of course if you do find the wording on more than one website, you might have trouble discovering whose wording this was originally!
This is where a WHOIS website can help you: enter the name of both websites to find out which was registered first. This is also a helpful way to find out where the VPN service is actually registered : if it’s in a jurisdiction that allows it to be subject to secret court orders or one which only has weak protection against hacking.
Sign up to receive daily breaking news, reviews, opinion, analysis, deals and more from the world of tech.
Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.