Is Fax Secure? Tips & Best Practices Compared (2026)

Is fax secure? The answer depends on how you fax. Traditional machines send unencrypted data over phone lines — but modern online fax services use AES-256 encryption, TLS 1.3, and full audit trails to keep your documents safe.

Is Fax Secure? Tips & Best Practices Compared (2026)

By Sarah Martinez · Published April 16, 2026 · Updated June 8, 2026 · 9 min read

Is fax secure? The short answer: it depends entirely on how you fax. A traditional fax machine sends your documents as unencrypted analog signals over phone lines — with no encryption, no audit trail, and physical pages sitting exposed in an output tray. A modern online fax service, on the other hand, wraps every transmission in TLS 1.3, stores documents with AES-256 encryption, and logs every action for compliance.

The gap between those two worlds is enormous. This guide breaks down the real security risks of traditional and online faxing, shares 8 best practices for keeping your faxes safe, and compares the top secure fax options available in 2026.

Bottom Line Up Front

Modern online fax services are more secure than traditional fax machines — and, for encrypted transmission, more secure than standard email. The key is choosing a provider with TLS encryption, AES-256 at rest, a BAA for HIPAA, and two-factor authentication.

Is Traditional Fax Secure?

Traditional fax machines are not secure by modern standards. They transmit documents as analog signals over the Public Switched Telephone Network (PSTN) — and those signals are not encrypted.

Here's what that means in practice:

  • Phone line interception: A skilled attacker can tap into phone lines and decode the analog signal, capturing your document as it travels. This is especially risky on lines that pass through external junctions or third-party infrastructure.
  • Physical exposure: Faxes arrive in a shared output tray. Any document sitting there — a medical record, a contract, a legal filing — is visible to whoever walks past. Research consistently shows that documents linger in output trays for hours in shared office environments.
  • No audit trail: Traditional machines keep no record of who sent what, when, or to whom. If a document goes astray, you have no way to investigate.
  • Internal hard drive copies: Many multifunction printers store copies of every fax on an internal hard drive. When the machine is decommissioned or sold, that data goes with it unless the drive is wiped.
  • Faxploit vulnerabilities: Check Point Research demonstrated in the "Faxploit" attack that a single malicious fax can exploit protocol vulnerabilities in a fax machine to inject malware and spread through the connected network — using nothing but the publicly listed fax number.

The Faxploit Risk Is Real

In 2018, Check Point researchers showed that knowing only an organization's fax number, they could send a specially crafted image that exploited HP multifunction printer firmware — gaining access to the entire corporate network. Traditional fax machines have no firewall, but most are connected to internal networks.

Traditional fax had a reputation for security largely because phone lines were perceived as harder to intercept than the open internet. That assumption was always shaky — and it's no longer valid at all.

Is Online Fax Secure?

Online fax is significantly more secure than traditional machines — provided you choose a reputable provider. Reputable services use:

  • TLS 1.2 / TLS 1.3 for encryption during transmission (data in transit)
  • AES-256 for documents stored on servers (data at rest)
  • Two-factor authentication (2FA) to protect account access
  • Full audit logs recording every send, receive, view, and download
  • SOC 2 Type 2 certification and/or ISO 27001 for infrastructure security

The result: a fax sent via a quality online service is protected end-to-end in ways a traditional machine simply cannot match. Check our complete guide to online fax security for a deeper technical breakdown.

That said, not all online fax services are equal. A low-cost consumer service may transmit over TLS but store documents unencrypted, skip audit logging, or share infrastructure that doesn't meet compliance requirements. Vetting your provider matters.

Online Fax vs. Email

Standard email is arguably less secure than quality online fax. Most email travels unencrypted between servers, is prone to phishing and account compromise, and provides no delivery confirmation. Online fax with TLS + AES-256 beats standard email on every security dimension.

Is Online Fax HIPAA Compliant?

Online fax can be HIPAA compliant — but HIPAA compliance is not automatic. To be compliant when transmitting Protected Health Information (PHI):

  1. The provider must sign a Business Associate Agreement (BAA) — this is a legal requirement under HIPAA. Without a BAA, no service is HIPAA compliant, regardless of its technical features.
  2. Encryption must be in place — TLS in transit and AES-256 at rest.
  3. Access controls must restrict who can see faxes — role-based permissions, 2FA.
  4. Audit logs must record all access — who accessed what, and when.

Services like mFax Business, eFax, and RingCentral all offer BAAs and HIPAA-ready configurations. Traditional fax machines offer none of these by default. See our detailed HIPAA fax requirements guide for the full checklist.

No BAA = Not HIPAA Compliant

Even the most technically secure fax service is not HIPAA compliant unless you have a signed BAA in place. Always confirm BAA availability before sending PHI.

8 Best Practices for Secure Faxing

Whether you're using a traditional machine or an online service, these practices significantly reduce your risk.

1. Use a Reputable Online Fax Service

Switch from a traditional machine to an online fax service that uses TLS 1.3 in transit and AES-256 at rest. This single step eliminates the phone-line interception vulnerability and removes the physical security risks of a shared output tray. Services like mFax Business are built for exactly this.

2. Always Verify the Recipient Number

A misdirected fax is one of the most common causes of data breaches in healthcare and legal settings. Before sending any sensitive document, call ahead to confirm the fax number. For recurring transmissions, maintain a verified fax directory — and update it whenever a contact changes offices.

3. Use a Cover Sheet — Carefully

A cover sheet marks a fax as confidential and warns unintended recipients. However, never include sensitive data — like a patient name, Social Security number, or diagnosis — on the cover sheet itself. The cover sheet is the first page visible in the output tray. Keep it generic: sender, recipient, page count, and "CONFIDENTIAL" language only.

For a ready-to-use template, our free fax cover sheet generator creates professional cover sheets in seconds.

4. Enable Two-Factor Authentication

Enable 2FA on your online fax account. This ensures that even if your password is compromised, an attacker cannot access your fax history or send faxes on your behalf. Most reputable services — including mFax Business — support authenticator-app-based 2FA.

5. Set Role-Based Access Controls

In team environments, not every employee needs access to every fax. Configure your fax platform so that healthcare admins, legal staff, and billing teams each see only the faxes relevant to their role. This limits the blast radius of any compromised account and satisfies HIPAA's minimum-necessary standard.

6. Maintain and Review Audit Logs

A complete audit trail — who sent what, to whom, when, and who viewed it — is essential for both security investigations and compliance audits. Review your fax logs regularly. Look for unusual send patterns (large volumes, off-hours transmissions, unfamiliar recipients) that might indicate unauthorized use.

7. Train Your Team

Technology alone does not make faxing secure. Staff need to understand:

  • How to verify a fax number before sending
  • What information belongs on a cover sheet (and what doesn't)
  • How to handle a misdirected fax (notify privacy officer, request destruction)
  • How to recognize social engineering attempts that target fax systems

Regular training — even brief quarterly reminders — dramatically reduces human error, which remains the leading cause of fax-related data breaches.

8. Retire Unsecured Traditional Machines

If your organization still uses traditional fax machines, build a roadmap to replace them. In the interim: position machines in secured areas with restricted access, establish a policy for immediately retrieving incoming faxes, and ensure all decommissioned machines have their hard drives physically destroyed.

Top Secure Fax Services Compared (2026)

Here are the leading options for organizations that need secure, reliable faxing:

ServiceEncryptionHIPAA / BAAAudit TrailStarting Price
mFax BusinessTLS in transit, AES-256 at restYes — BAA availableFull audit trailFrom $9/mo
eFax Corporate256-bit encryption, HITRUST certifiedYes — Protect planYes$18.95/mo
RingCentral FaxTLS 1.2+, AES-256Yes — Enterprise plan + BAAYes$12.99/mo
Fax.PlusTLS 1.3, AES-256, ISO 27001Yes — Enterprise + BAAYes$6.99/mo
WestFaxTLS 1.2+, AES-256Yes — all plansYes$9.95/mo
Traditional Fax MachineNone — analog signalNot without additional safeguardsNoneHardware + phone line

Why mFax Business Stands Out for Teams

mFax Business combines enterprise-grade security (TLS transmission, AES-256 storage, BAA for HIPAA) with a clean web dashboard and mobile access — making it practical for teams that need to send and receive faxes without managing hardware. Pricing is usage-based with no rigid fixed tiers: you build your own plan with a live calculator, choosing the exact seats (1–35) and pages (200–5,000) you need and paying only for what you use, starting at about $9/mo (billed annually).

For Individual Faxing: mFax App

If you only need to send the occasional fax — a tax form, a medical records request, a legal document — the mFax app lets you fax from your iPhone or Android in under 2 minutes. No fax machine, no special hardware, no monthly commitment required. Over 5 million users trust mFax with a 4.8-star App Store rating.

Traditional Fax vs. Online Fax: Security at a Glance

Security FactorTraditional FaxOnline Fax (Quality Provider)
Transmission encryptionNone (analog signal)TLS 1.2 / TLS 1.3
Storage encryptionNoneAES-256
Physical exposure riskHigh (shared output tray)None (digital delivery)
Audit trailNoneFull log of all actions
HIPAA complianceRequires significant safeguardsAvailable with BAA
2FA supportNot applicableYes
Malware / Faxploit riskHigh (if on internal network)Low (cloud-isolated)
Misdirected fax detectionImpossible after transmissionLogged with delivery receipt

The security difference is not marginal. For any organization handling sensitive documents — healthcare records, legal filings, financial data, IRS forms — the case for moving to a quality online fax service is compelling.

Who Still Needs to Think About Fax Security?

Fax security matters most in regulated industries, but it's not limited to them:

  • Healthcare — HIPAA requires safeguards for PHI transmitted by fax. Faxing PHI securely requires encryption, a BAA, and audit logs.
  • Legal — Attorney-client privilege and court filing requirements demand documented, traceable transmissions.
  • Financial services — GLBA and PCI-DSS compliance applies to faxed financial records.
  • Government agencies — FERPA applies to education records; various federal standards apply to government-to-government transmissions.
  • Small businesses — Even without formal compliance requirements, sending contracts, invoices, or employee records over unsecured fax is an unnecessary risk.

If any of the above applies to you, review your current fax setup against the HIPAA fax requirements checklist as a starting point — even if you're not in healthcare, it's the most thorough security benchmark available.

How to Evaluate a Fax Service for Security

Before signing up with any fax provider, ask these questions:

  1. Does the service use TLS 1.2 or higher for data in transit?
  2. Does it use AES-256 for data at rest?
  3. Is a BAA available? For which plans?
  4. Does it provide full audit logs?
  5. Does it support two-factor authentication?
  6. What certifications does it hold? (SOC 2 Type 2, ISO 27001, HITRUST)
  7. Where is data stored? (Jurisdiction matters for GDPR and international compliance)
  8. What is the data retention policy? (How long are faxes stored, and can you delete them?)

A provider that can answer all eight questions clearly — with documentation — is one worth trusting with your sensitive documents.

Send Your Fax Securely Today

Is fax secure? With the right service and the right practices, yes — it can be among the most secure ways to transmit sensitive documents. The risks belong to traditional machines and careless practices, not to modern online fax done properly.

For individuals: Download the mFax app and send a fax from your phone in under 2 minutes — no hardware, no phone line, and significantly more secure than an aging office machine.

For teams and regulated industries: mFax Business gives you TLS encryption, AES-256 storage, HIPAA-ready infrastructure with BAA, team accounts, and a full audit trail — and lets you build your own plan around the exact seats and pages you need, starting at about $9/mo.

Frequently Asked Questions

Is faxing more secure than email?
Modern online fax is generally more secure than standard email. Online fax services use TLS encryption in transit and AES-256 at rest, while standard email travels unencrypted by default. Traditional fax machines are also less secure than email because they send analog signals over unencrypted phone lines with no audit trail.
Can a fax be intercepted?
Traditional fax transmissions can be intercepted by tapping phone lines, since the signal is unencrypted analog data. Online fax services protect against this with TLS 1.3 encryption during transit, making interception extremely difficult. Physical documents left in output trays remain a risk for traditional machines. See our guide to [can faxes be intercepted](/blog/can-fax-be-intercepted/) for a full breakdown.
Is online fax HIPAA compliant?
Online fax can be HIPAA compliant when the provider signs a Business Associate Agreement (BAA) and implements required safeguards — including encryption, access controls, and audit logs. Not all online fax services are HIPAA compliant by default; you must verify BAA availability before sending PHI. Learn more in our [HIPAA fax requirements guide](/blog/hipaa-fax-requirements/).
What encryption do fax services use?
Reputable online fax services use TLS 1.2 or 1.3 for encryption during transmission (data in transit) and AES-256 for documents stored on their servers (data at rest). Traditional fax machines use no encryption at all. See our [fax encryption explainer](/blog/fax-encryption/) for technical details.
What is the most secure way to send a fax?
The most secure way to send a fax is through a reputable online fax service that provides TLS encryption in transit, AES-256 at rest, a BAA for HIPAA compliance, two-factor authentication, and full audit trails. Services like mFax Business meet all of these requirements.
Home Business Pricing Fax API Blog Document Converter Company
Terms of Service Privacy Policy