By Sarah Martinez · Published April 16, 2026 · Updated June 8, 2026 · 9 min read
Is fax secure? The short answer: it depends entirely on how you fax. A traditional fax machine sends your documents as unencrypted analog signals over phone lines — with no encryption, no audit trail, and physical pages sitting exposed in an output tray. A modern online fax service, on the other hand, wraps every transmission in TLS 1.3, stores documents with AES-256 encryption, and logs every action for compliance.
The gap between those two worlds is enormous. This guide breaks down the real security risks of traditional and online faxing, shares 8 best practices for keeping your faxes safe, and compares the top secure fax options available in 2026.
Bottom Line Up Front
Modern online fax services are more secure than traditional fax machines — and, for encrypted transmission, more secure than standard email. The key is choosing a provider with TLS encryption, AES-256 at rest, a BAA for HIPAA, and two-factor authentication.
Is Traditional Fax Secure?
Traditional fax machines are not secure by modern standards. They transmit documents as analog signals over the Public Switched Telephone Network (PSTN) — and those signals are not encrypted.
Here's what that means in practice:
- Phone line interception: A skilled attacker can tap into phone lines and decode the analog signal, capturing your document as it travels. This is especially risky on lines that pass through external junctions or third-party infrastructure.
- Physical exposure: Faxes arrive in a shared output tray. Any document sitting there — a medical record, a contract, a legal filing — is visible to whoever walks past. Research consistently shows that documents linger in output trays for hours in shared office environments.
- No audit trail: Traditional machines keep no record of who sent what, when, or to whom. If a document goes astray, you have no way to investigate.
- Internal hard drive copies: Many multifunction printers store copies of every fax on an internal hard drive. When the machine is decommissioned or sold, that data goes with it unless the drive is wiped.
- Faxploit vulnerabilities: Check Point Research demonstrated in the "Faxploit" attack that a single malicious fax can exploit protocol vulnerabilities in a fax machine to inject malware and spread through the connected network — using nothing but the publicly listed fax number.
The Faxploit Risk Is Real
In 2018, Check Point researchers showed that knowing only an organization's fax number, they could send a specially crafted image that exploited HP multifunction printer firmware — gaining access to the entire corporate network. Traditional fax machines have no firewall, but most are connected to internal networks.
Traditional fax had a reputation for security largely because phone lines were perceived as harder to intercept than the open internet. That assumption was always shaky — and it's no longer valid at all.
Is Online Fax Secure?
Online fax is significantly more secure than traditional machines — provided you choose a reputable provider. Reputable services use:
- TLS 1.2 / TLS 1.3 for encryption during transmission (data in transit)
- AES-256 for documents stored on servers (data at rest)
- Two-factor authentication (2FA) to protect account access
- Full audit logs recording every send, receive, view, and download
- SOC 2 Type 2 certification and/or ISO 27001 for infrastructure security
The result: a fax sent via a quality online service is protected end-to-end in ways a traditional machine simply cannot match. Check our complete guide to online fax security for a deeper technical breakdown.
That said, not all online fax services are equal. A low-cost consumer service may transmit over TLS but store documents unencrypted, skip audit logging, or share infrastructure that doesn't meet compliance requirements. Vetting your provider matters.
Online Fax vs. Email
Standard email is arguably less secure than quality online fax. Most email travels unencrypted between servers, is prone to phishing and account compromise, and provides no delivery confirmation. Online fax with TLS + AES-256 beats standard email on every security dimension.
Is Online Fax HIPAA Compliant?
Online fax can be HIPAA compliant — but HIPAA compliance is not automatic. To be compliant when transmitting Protected Health Information (PHI):
- The provider must sign a Business Associate Agreement (BAA) — this is a legal requirement under HIPAA. Without a BAA, no service is HIPAA compliant, regardless of its technical features.
- Encryption must be in place — TLS in transit and AES-256 at rest.
- Access controls must restrict who can see faxes — role-based permissions, 2FA.
- Audit logs must record all access — who accessed what, and when.
Services like mFax Business, eFax, and RingCentral all offer BAAs and HIPAA-ready configurations. Traditional fax machines offer none of these by default. See our detailed HIPAA fax requirements guide for the full checklist.
No BAA = Not HIPAA Compliant
Even the most technically secure fax service is not HIPAA compliant unless you have a signed BAA in place. Always confirm BAA availability before sending PHI.
8 Best Practices for Secure Faxing
Whether you're using a traditional machine or an online service, these practices significantly reduce your risk.
1. Use a Reputable Online Fax Service
Switch from a traditional machine to an online fax service that uses TLS 1.3 in transit and AES-256 at rest. This single step eliminates the phone-line interception vulnerability and removes the physical security risks of a shared output tray. Services like mFax Business are built for exactly this.
2. Always Verify the Recipient Number
A misdirected fax is one of the most common causes of data breaches in healthcare and legal settings. Before sending any sensitive document, call ahead to confirm the fax number. For recurring transmissions, maintain a verified fax directory — and update it whenever a contact changes offices.
3. Use a Cover Sheet — Carefully
A cover sheet marks a fax as confidential and warns unintended recipients. However, never include sensitive data — like a patient name, Social Security number, or diagnosis — on the cover sheet itself. The cover sheet is the first page visible in the output tray. Keep it generic: sender, recipient, page count, and "CONFIDENTIAL" language only.
For a ready-to-use template, our free fax cover sheet generator creates professional cover sheets in seconds.
4. Enable Two-Factor Authentication
Enable 2FA on your online fax account. This ensures that even if your password is compromised, an attacker cannot access your fax history or send faxes on your behalf. Most reputable services — including mFax Business — support authenticator-app-based 2FA.
5. Set Role-Based Access Controls
In team environments, not every employee needs access to every fax. Configure your fax platform so that healthcare admins, legal staff, and billing teams each see only the faxes relevant to their role. This limits the blast radius of any compromised account and satisfies HIPAA's minimum-necessary standard.
6. Maintain and Review Audit Logs
A complete audit trail — who sent what, to whom, when, and who viewed it — is essential for both security investigations and compliance audits. Review your fax logs regularly. Look for unusual send patterns (large volumes, off-hours transmissions, unfamiliar recipients) that might indicate unauthorized use.
7. Train Your Team
Technology alone does not make faxing secure. Staff need to understand:
- How to verify a fax number before sending
- What information belongs on a cover sheet (and what doesn't)
- How to handle a misdirected fax (notify privacy officer, request destruction)
- How to recognize social engineering attempts that target fax systems
Regular training — even brief quarterly reminders — dramatically reduces human error, which remains the leading cause of fax-related data breaches.
8. Retire Unsecured Traditional Machines
If your organization still uses traditional fax machines, build a roadmap to replace them. In the interim: position machines in secured areas with restricted access, establish a policy for immediately retrieving incoming faxes, and ensure all decommissioned machines have their hard drives physically destroyed.
Top Secure Fax Services Compared (2026)
Here are the leading options for organizations that need secure, reliable faxing:
| Service | Encryption | HIPAA / BAA | Audit Trail | Starting Price |
|---|---|---|---|---|
| mFax Business | TLS in transit, AES-256 at rest | Yes — BAA available | Full audit trail | From $9/mo |
| eFax Corporate | 256-bit encryption, HITRUST certified | Yes — Protect plan | Yes | $18.95/mo |
| RingCentral Fax | TLS 1.2+, AES-256 | Yes — Enterprise plan + BAA | Yes | $12.99/mo |
| Fax.Plus | TLS 1.3, AES-256, ISO 27001 | Yes — Enterprise + BAA | Yes | $6.99/mo |
| WestFax | TLS 1.2+, AES-256 | Yes — all plans | Yes | $9.95/mo |
| Traditional Fax Machine | None — analog signal | Not without additional safeguards | None | Hardware + phone line |
Why mFax Business Stands Out for Teams
mFax Business combines enterprise-grade security (TLS transmission, AES-256 storage, BAA for HIPAA) with a clean web dashboard and mobile access — making it practical for teams that need to send and receive faxes without managing hardware. Pricing is usage-based with no rigid fixed tiers: you build your own plan with a live calculator, choosing the exact seats (1–35) and pages (200–5,000) you need and paying only for what you use, starting at about $9/mo (billed annually).
For Individual Faxing: mFax App
If you only need to send the occasional fax — a tax form, a medical records request, a legal document — the mFax app lets you fax from your iPhone or Android in under 2 minutes. No fax machine, no special hardware, no monthly commitment required. Over 5 million users trust mFax with a 4.8-star App Store rating.
Traditional Fax vs. Online Fax: Security at a Glance
| Security Factor | Traditional Fax | Online Fax (Quality Provider) |
|---|---|---|
| Transmission encryption | None (analog signal) | TLS 1.2 / TLS 1.3 |
| Storage encryption | None | AES-256 |
| Physical exposure risk | High (shared output tray) | None (digital delivery) |
| Audit trail | None | Full log of all actions |
| HIPAA compliance | Requires significant safeguards | Available with BAA |
| 2FA support | Not applicable | Yes |
| Malware / Faxploit risk | High (if on internal network) | Low (cloud-isolated) |
| Misdirected fax detection | Impossible after transmission | Logged with delivery receipt |
The security difference is not marginal. For any organization handling sensitive documents — healthcare records, legal filings, financial data, IRS forms — the case for moving to a quality online fax service is compelling.
Who Still Needs to Think About Fax Security?
Fax security matters most in regulated industries, but it's not limited to them:
- Healthcare — HIPAA requires safeguards for PHI transmitted by fax. Faxing PHI securely requires encryption, a BAA, and audit logs.
- Legal — Attorney-client privilege and court filing requirements demand documented, traceable transmissions.
- Financial services — GLBA and PCI-DSS compliance applies to faxed financial records.
- Government agencies — FERPA applies to education records; various federal standards apply to government-to-government transmissions.
- Small businesses — Even without formal compliance requirements, sending contracts, invoices, or employee records over unsecured fax is an unnecessary risk.
If any of the above applies to you, review your current fax setup against the HIPAA fax requirements checklist as a starting point — even if you're not in healthcare, it's the most thorough security benchmark available.
How to Evaluate a Fax Service for Security
Before signing up with any fax provider, ask these questions:
- Does the service use TLS 1.2 or higher for data in transit?
- Does it use AES-256 for data at rest?
- Is a BAA available? For which plans?
- Does it provide full audit logs?
- Does it support two-factor authentication?
- What certifications does it hold? (SOC 2 Type 2, ISO 27001, HITRUST)
- Where is data stored? (Jurisdiction matters for GDPR and international compliance)
- What is the data retention policy? (How long are faxes stored, and can you delete them?)
A provider that can answer all eight questions clearly — with documentation — is one worth trusting with your sensitive documents.
Send Your Fax Securely Today
Is fax secure? With the right service and the right practices, yes — it can be among the most secure ways to transmit sensitive documents. The risks belong to traditional machines and careless practices, not to modern online fax done properly.
For individuals: Download the mFax app and send a fax from your phone in under 2 minutes — no hardware, no phone line, and significantly more secure than an aging office machine.
For teams and regulated industries: mFax Business gives you TLS encryption, AES-256 storage, HIPAA-ready infrastructure with BAA, team accounts, and a full audit trail — and lets you build your own plan around the exact seats and pages you need, starting at about $9/mo.