A client messages you: "I got an alert that someone logged into my account from Germany — that wasn't me, or... wait, was I on a VPN?" This is the specific, narrower question that comes up constantly and deserves a better answer than a shrug: is this login coming from a VPN, a proxy, or a hosting/datacenter range — or does it look like an ordinary residential connection from wherever the client claims to have been?
Start with IP Lookup — what does the network actually look like
Run the login IP through IP Lookup and note the organization and country. A generic-sounding cloud or hosting name (AWS, DigitalOcean, Hetzner, OVH) or an organization you don't recognize as an ISP is your first clue. A named regional ISP or mobile carrier in a country the client can plausibly explain (a trip, a client visit, a relative's house) is a different picture entirely — this step alone won't settle it, but it tells you which direction to look.
ASN Lookup — where the real signal is
Run the same IP through ASN Lookup. This is the tool that actually distinguishes "residential connection somewhere unexpected" from "VPN, proxy, or datacenter" — and the heuristics are fairly reliable, though never absolute:
- Residential or mobile ISP ASN — a regional broadband provider or mobile carrier's ASN is consistent with an actual person connecting from an actual home or phone network. This is what you'd expect from someone genuinely traveling or working from an unusual location.
- Hosting or cloud provider ASN — real people don't typically connect to a login page directly from a datacenter's own IP range. An ASN belonging to AWS, DigitalOcean, Hetzner, OVH, or similar is a strong signal the traffic is routed through infrastructure, not a home connection — consistent with a VPN, proxy, or automated access.
- Known VPN or proxy provider ASN — some commercial VPN services have their own recognizable ASN or organization name in registry data, which is about as close to a direct answer as you'll get. Not every VPN shows this clearly; many just look like generic hosting-provider ASNs instead.
None of this is a certainty — it's a strong, practical signal built on how these networks are actually structured, not a lookup that returns "yes, this was a VPN."
Why this isn't a verdict
Be honest about the limits here, both with yourself and with the client. Legitimate remote workers use VPNs constantly — a corporate VPN, a privacy tool, a client's own IT policy requiring one. A hosting-provider or VPN-associated ASN is genuinely consistent with a real, authorized login just as much as it's consistent with something worth investigating further. The finding is "this is the kind of network a VPN or proxy typically uses," not "this proves the login wasn't the client." Treat it as a reason to ask a direct follow-up question, not as grounds to declare the account compromised.
Putting it together — how to talk to the client
Lead with the finding and a direct question, not an alarm:
"I checked the IP from that login — it's coming through a network type commonly used by VPNs and hosting services, not a typical home or mobile connection. Were you using a VPN at the time, or does that not sound familiar?"
If they confirm a VPN or remote-work setup, you're done — that's a satisfying, concrete answer instead of a shrug. If they say no, that's the point where it becomes a real security conversation: recommend a password reset and a closer look at account activity, rather than assuming either innocence or compromise before you've actually asked.
Bookmark this page — it's built to be the reference you pull up any time a client asks whether a login from somewhere unexpected was really them.