Mod note - I've moved this into its own thread.

Minimal issues. Spoofing IP addresses like that would require concerted and specific sabotage by your ISP (or, really, any ISP between you and your VPN server) to redirect your traffic to their server. But then you'd quickly notice you couldn't access your company resources. And what would they gain? A quick call to IT would reset your password.

Not saying it couldn't happen (the tinfoil hat brigade will be all over me otherwise) but that it's so unlikely I wouldn't worry about it unless you were a high value target and traveling to a country whose government would try to get your password.