Can Faxes Be Intercepted: Complete Guide (2026)

Yes — faxes can be intercepted, but the risk depends entirely on the transmission method. Analog fax, VoIP fax, and TLS-encrypted online fax each face different threats. This guide explains exactly how interception works, what the real risks are, and how to protect your transmissions.

Can Faxes Be Intercepted: Complete Guide (2026)

By Sarah Martinez · Published May 9, 2026 · Updated June 8, 2026 · 11 min read

Yes — faxes can be intercepted. Whether that interception is easy, difficult, or essentially impossible depends entirely on which type of fax transmission you are using. Analog fax over a copper phone line, VoIP fax via T.38 protocol, and TLS-encrypted online fax each have completely different attack surfaces and risk profiles.

This guide walks through the mechanics of fax interception for each method, what real-world incidents have actually occurred, how fax compares to email on interception risk, and what you can do to make your transmissions genuinely secure.

Quick Answer

Analog fax can be intercepted with a physical line tap — difficult but possible. VoIP/T.38 fax can be intercepted remotely using free network tools — easy once you're on the path. TLS-encrypted online fax cannot realistically be intercepted in transit — the risk shifts to endpoints and account security.

What "Fax Interception" Actually Means

Fax interception means capturing the content of a fax transmission without the sender's or receiver's knowledge — reading the document in transit rather than at either endpoint.

This is distinct from two other common exposure risks:

  • Misdirected faxes — sending to the wrong number, which is by far the most common real-world fax security incident
  • Endpoint exposure — documents sitting in an output tray, stored on a device's hard drive, or accessible in an unprotected inbox

Interception specifically targets the transmission path itself. The feasibility of that attack depends entirely on whether the path is encrypted, and how the encryption is applied.

Can Traditional Analog Fax Be Intercepted?

Yes — but only with physical access to the phone line. Traditional Group 3 fax transmits documents as modulated audio tones over the Public Switched Telephone Network (PSTN) using the ITU-T T.30 protocol. There is no encryption, no authentication, and no integrity protection at any layer of the transmission.

How Analog Fax Interception Works

A hardware tap placed on a 2-wire analog RJ11 phone line can capture the bi-directional audio signal in real time without interrupting the call. The captured signal is saved as a PCM audio file, then decoded by fax demodulation software to reconstruct the original document image verbatim. Commercial-grade telecom test equipment for this purpose is widely available; the software to decode T.30 signals is open-source.

The access points where a tap can be installed include:

  • Inside the premises — behind a wall plate or in a wiring closet
  • At a neighborhood junction box on the street
  • At a telephone company central office switching station
  • Via a court-authorized (or unauthorized) law enforcement tap at the carrier

The Physical Access Barrier

The single protection analog fax has is the physical access requirement. Intercepting analog fax at scale requires significant resources and infrastructure access. This is why US law enforcement must explicitly obtain court authorization for fax interception under 18 U.S.C. § 2518, treating it on par with telephone wiretaps.

For most organizations, the realistic analog fax threat model is targeted surveillance by state actors, not opportunistic interception. That said, "difficult" is not the same as "impossible" — and as the PSTN has been converted to VoIP infrastructure by carriers, that physical barrier has eroded significantly.

The PSTN Is Now Largely VoIP

Most telephone carriers have converted their PSTN infrastructure to VoIP internally. When you send an "analog" fax over a standard phone line, it may be converted to a VoIP signal at the carrier's network edge — meaning the assumption that "analog fax can only be tapped physically" no longer holds for end-to-end transmission.

Can VoIP Fax (T.38) Be Intercepted?

Yes — and it is significantly easier than analog interception. T.38, the protocol used for fax over IP (FoIP), was designed for circuit-switched network environments where physical isolation provided implicit security. Transported over the open internet, it has no such protection.

Why T.38 Has No Built-In Security

T.38 packets travel as ordinary UDP/IP datagrams across IP networks. The protocol specification includes no encryption, no authentication, and no message integrity controls. Anyone with access to the network path between sender and receiver — at an ISP, corporate router, or cloud node — can capture T.38 packets with a standard network analyzer.

Critically, the tooling to exploit this is freely available and well-documented. Wireshark, the open-source packet analyzer used by network engineers worldwide, includes a T.38 dissector that can decode captured traffic and reconstruct the fax image directly from a packet capture file. This is a documented, routine troubleshooting technique — which means the same capability is trivially accessible to anyone who wants to use it maliciously.

The Mitigation That Isn't Widely Deployed

The correct mitigation for T.38 exposure is encapsulating it over SRTP (Secure Real-time Transport Protocol) — the same encryption used for secure voice calls. T.38 over SRTP encrypts the fax payload in transit and prevents packet-level interception.

The problem: most VoIP providers do not enable SRTP encapsulation for T.38 by default. Many do not support it at all. Organizations that believe their VoIP fax is "secure" because it travels over a corporate network may be transmitting unencrypted fax data across shared internet infrastructure without realizing it.

Verify Before Assuming

If your business uses a VoIP phone system for faxing, contact your provider and ask specifically whether T.38 is encapsulated in SRTP. If they cannot confirm this, assume your VoIP fax transmissions are unencrypted in transit.

Can Online (TLS-Encrypted) Fax Be Intercepted?

Not in transit — but the last mile matters. Reputable online fax services transmit documents as HTTPS/TLS traffic, not as T.38. TLS 1.3 with AES-256 encryption makes in-transit interception computationally infeasible with current technology. The same encryption class protects online banking and healthcare portals.

For a passive attacker positioned anywhere on the network path between you and the fax service, an encrypted transmission reveals nothing usable.

What TLS Encryption Actually Protects

TLS encryption in transit means the document content is unreadable to anyone intercepting packets between your device and the fax service's servers. Even with complete access to every packet in the transmission, an attacker sees only ciphertext they cannot decrypt in any practical timeframe.

Beyond transit security, reputable online fax services apply AES-256 encryption to documents stored at rest on their servers. This means the document is protected not just while moving, but while waiting to be delivered.

For a complete breakdown of how fax encryption layers work, see our guide to fax encryption and how to verify your provider.

The Last-Mile Vulnerability

The most significant remaining risk for online fax is the last-mile delivery problem: what happens after the fax service has received your document.

If the fax service delivers to an email inbox, the security of that delivery depends entirely on whether the email provider enforces TLS. If the receiving email server does not support TLS, some providers will fall back to unencrypted delivery — meaning the final leg of your "secure" fax is transmitted in plaintext.

This is the difference between opportunistic TLS (try encrypted, fall back to unencrypted) and enforced TLS (refuse delivery unless encrypted). For sensitive documents, enforced TLS is required — opportunistic TLS provides only partial protection.

Server-Side Storage Risks

Documents stored on a provider's servers are a separate attack surface. A breach of the provider's infrastructure can expose stored faxes regardless of how strong the transit encryption was. This is why evaluating a provider's security posture — not just their encryption protocol — matters for sensitive use cases.

For a full evaluation framework, see Is Online Fax Secure? The Truth About Encryption & HIPAA.

Fax TypeEncryptionInterception MethodDifficultyHIPAA Safe?
Analog (PSTN)NonePhysical line tapHard (requires physical access)Risk-based exception only
VoIP / T.38None by defaultPacket capture (Wireshark)Easy (remote, no physical access)No
Online Fax (TLS)TLS 1.3 + AES-256Endpoint/account compromiseVery hard in transitYes (with BAA)
Online Fax (opportunistic TLS)TLS where supportedLast-mile unencrypted legPossible at delivery endpointOnly with enforced TLS

Real-World Fax Interception Incidents

Fax interception is not theoretical. It has occurred at documented scale, and the attack surface for networked fax devices has been proven in public security research.

NSA Bulk Collection Programs

Classified documents disclosed beginning in 2013 confirmed that the NSA's bulk collection programs explicitly included fax communications. AT&T installed a fiber-optic splitter at its San Francisco facility that copied all traffic — including faxes — to NSA infrastructure. Project SHAMROCK, the earlier predecessor program running from 1945–1975, gave the NSA direct access to all international telegram traffic from major carriers. The Church Committee described it as "probably the largest government interception program affecting Americans ever undertaken."

The policy implication: fax communications have been treated as a valid interception target by intelligence agencies for decades. The infrastructure to intercept them at scale exists.

Faxploit: CVE-2018-5924 and CVE-2018-5925

In August 2018, Check Point Research presented "Faxploit" at DEF CON 26. Researchers demonstrated that sending a single malformed fax image to an HP all-in-one printer-fax could exploit buffer overflow vulnerabilities (CVE-2018-5924 and CVE-2018-5925) to achieve full remote code execution on the device — using only a publicly listed fax number.

From that foothold, the researchers demonstrated lateral movement across the connected corporate network. The attack required no credentials, no physical access, and no prior knowledge of the target's infrastructure — just a fax number.

This is not interception of a fax in transit. It is a documented real-world attack vector via fax infrastructure that can expose every document stored on the device and provide entry to the broader network.

Networked Fax Machines Are Network Entry Points

Any fax machine connected to your corporate LAN is a potential attack vector — not just a communication device. HP issued patches for CVE-2018-5924/5925. Verify your devices are patched and consider whether networked fax machines need LAN connectivity at all.

Fax vs. Email: Which Is Harder to Intercept?

The answer depends on which version of each technology you're comparing.

ComparisonAnalog FaxVoIP/T.38 FaxOnline (TLS) FaxStandard EmailTLS Email
In-transit encryptionNoneNoneTLS 1.3Often noneTLS
Interception methodPhysical tapPacket captureAccount/endpointRelay interceptAccount/endpoint
Phishing vulnerabilityNoNoYes (account takeover)YesYes
Credential stuffing riskNoNoYesYesYes
Scale of passive surveillanceTargetedTargetedTargetedMass collection feasibleTargeted

Where fax is harder to intercept: Analog fax requires physical infrastructure access for interception — a genuine barrier against opportunistic attackers. It is also immune to the phishing and credential-stuffing attacks that account for roughly 90% of email-based data breaches.

Where fax is easier to intercept: VoIP/T.38 fax is arguably less secure than TLS email. Major email providers (Gmail, Outlook) at minimum use opportunistic TLS between mail servers; T.38 by default uses no encryption whatsoever. The tooling to exploit unencrypted T.38 is freely available.

Practical conclusion: Modern online fax from a reputable provider, properly configured with enforced TLS, provides comparable or better in-transit security to TLS email. The differentiator is then endpoint security and provider trust, not transmission security.

For a detailed breakdown, see Is Fax Secure? What You Need to Know.

7 Ways to Prevent Fax Interception

  • Use an online fax service with TLS 1.3 in transit and AES-256 at rest — this eliminates the primary interception risk entirely. Verify the provider publishes their encryption specifications.
  • Require enforced TLS, not just opportunistic TLS — contact your provider and confirm they will refuse delivery rather than fall back to unencrypted transmission. This matters most when delivering to email addresses.
  • Verify T.38 is encapsulated in SRTP if you use VoIP fax — ask your VoIP provider directly. If they cannot confirm SRTP encapsulation, treat all VoIP fax as unencrypted.
  • Disconnect fax machines from your corporate LAN where possible — Faxploit demonstrated that a networked printer-fax is a full network entry point. Isolate fax devices on a dedicated VLAN or keep them off the network entirely.
  • Patch fax machine firmware — CVE-2018-5924/5925 affected HP all-in-ones; similar vulnerabilities likely exist across vendors. Apply all vendor firmware updates and monitor advisories.
  • Enable multi-factor authentication on your online fax account — in-transit encryption is only as good as the account protecting the inbox. MFA prevents the most common account takeover vectors.
  • Always double-check recipient fax numbers — misdirected faxes cause more real-world PHI exposure than interception. One wrong digit sends your document to a complete stranger, and for HIPAA-covered entities this is a reportable breach.

What HIPAA Requires for Fax Interception Protection

HIPAA does not prohibit faxing protected health information (PHI). What it does require is that transmission of ePHI meet the Technical Safeguards defined in 45 CFR § 164.312.

The "Addressable" Encryption Requirement

HIPAA's Security Rule lists transmission security under § 164.312(e)(2) as an addressable specification. Addressable does not mean optional. Covered entities must either:

  1. Implement the specification (transmission encryption), or
  2. Document why implementing it is not reasonable and appropriate, and implement an equivalent alternative control

For internet-routed fax transmissions — which includes all online fax services and most "analog" fax traffic that routes through carrier VoIP infrastructure — there is no credible alternative to encryption. The risk-based exception for analog dial-up lines that HHS outlined in 2000 predates the widespread VoIP conversion of the PSTN and no longer applies to most fax infrastructure.

Misdirected Fax Is a Reportable Breach

A misdirected fax containing PHI is a reportable breach under the Breach Notification Rule (45 CFR § 164.400–414) — unless the PHI was encrypted. This is the most operationally significant HIPAA risk for fax users, more likely to occur than interception.

BAA Requirement

Any online fax service provider that handles PHI must sign a Business Associate Agreement (BAA) with the covered entity. The BAA establishes the provider's obligations to safeguard PHI and is a prerequisite for HIPAA-compliant online faxing — regardless of how strong the encryption is.

For a complete compliance checklist, see our HIPAA Compliant Fax guide.

mFax Business Includes What HIPAA Requires

mFax Business provides TLS encryption in transit, AES-256 encryption at rest, BAA signing, audit logs, and access controls — the complete set of technical safeguards required for HIPAA-covered fax transmissions. Plans start at about $9/mo (billed annually) — you build your own plan with a live calculator, choosing the exact number of seats and pages you need rather than paying for a rigid fixed tier.

Are Faxes More Private Than Email?

The privacy picture for fax is nuanced. Traditional analog fax is immune to the mass-scale opportunistic attacks — phishing, credential stuffing, compromised mail relays — that account for most real-world email breaches. An attacker cannot send a billion fax "phishing" attempts the way they can with email.

But fax is not a magic privacy shield. The ITU-T T.30 protocol has no concept of authentication — you cannot cryptographically verify who sent a fax or that it was not modified in transit. And VoIP fax, which now underlies most "traditional" fax infrastructure, exposes document content more easily than most people realize.

The practical privacy hierarchy for sensitive documents in 2026:

  1. End-to-end encrypted messaging (Signal-class) — strongest
  2. TLS online fax with enforced encryption — strong, HIPAA-suitable
  3. TLS email with enforced encryption — strong, but inbox access risk
  4. Standard TLS email — adequate for most business use
  5. Analog PSTN fax — weak encryption, but targeted-only interception risk
  6. VoIP/T.38 fax without SRTP — weakest: easily intercepted remotely with free tools

For a full security comparison, see Are Faxes Encrypted? What You Need to Know.

Choosing the Right Protection for Your Use Case

If you are sending sensitive documents — medical records, legal filings, financial data — the transmission method matters as much as the document classification.

For occasional personal use: A reputable online fax service with TLS encryption is sufficient. The in-transit risk is negligible; make sure you confirm the recipient's number before sending.

For healthcare, legal, and financial organizations: Online fax with enforced TLS, AES-256 at rest, BAA coverage, and audit logs is required. Verify that your provider offers enforced TLS (not just opportunistic) and that T.38 delivery to external fax machines is handled securely.

For organizations still using analog or VoIP fax machines: Audit whether your fax machines are networked, apply all firmware patches, and evaluate whether migration to a dedicated online fax platform would reduce your attack surface. For VoIP fax specifically, confirm SRTP encapsulation status with your provider.

mFax Business is built for exactly this use case: HIPAA-ready faxing with TLS + AES-256, BAA support, team accounts, and delivery audit trails — everything needed to reduce your interception and compliance risk to an acceptable level. Plans start at about $9/mo.

For more on protecting fax transmissions in a compliance context, read What Is a Secure Fax? Definition, Features & How to Send One.

Frequently Asked Questions

Can traditional analog fax be intercepted?
Yes. Analog fax transmits as unencrypted audio tones over a phone line with no cryptographic protection. A physical tap on the line lets anyone with the right equipment capture and reconstruct the document verbatim. The barrier is physical access, not encryption — once a tap is in place the data is fully exposed.
Can VoIP fax (T.38) be intercepted?
Yes, and more easily than analog. T.38, the protocol used for fax over VoIP, has no built-in encryption. Packets travel as plain UDP/IP datagrams across the internet. Anyone with access to the network path can capture them with a free tool like Wireshark and reconstruct the fax image — no physical access required.
Can TLS-encrypted online fax be intercepted in transit?
Not by a passive network attacker. TLS 1.3 with AES-256 makes in-transit interception computationally infeasible — the same class of encryption used for online banking. However, the "last mile" remains a risk if the final delivery leg (email inbox or fax machine) does not enforce TLS.
What is the most common way fax documents are actually exposed?
Misdirected faxes — sending to the wrong number — are far more common than interception. A single wrong digit delivers sensitive documents to a complete stranger. For HIPAA-covered entities, a misdirected fax containing PHI is a reportable breach unless the document was encrypted end-to-end.
Does HIPAA require encrypted fax transmissions?
HIPAA lists transmission encryption as an "addressable" specification under the Security Rule (45 CFR § 164.312(e)(2)). Addressable means you must implement it or document a risk-equivalent alternative — it is not optional. For analog fax over dedicated dial-up lines, HHS allows a risk-based exception; for internet-routed transmissions, encryption is effectively required.
Home Business Pricing Fax API Blog Document Converter Company
Terms of Service Privacy Policy