Is Fax Secure? What You Need to Know

Fax has a reputation for being secure — but the reality depends on the technology behind it. Here is what actually protects a fax transmission, where the real vulnerabilities are, and how to send documents safely.

Is Fax Secure? What You Need to Know

By Sarah Martinez · Published May 7, 2026 · Updated June 8, 2026 · 6 min read

Is fax secure? The short answer: it depends on which kind of fax you mean. Traditional fax machines offer some inherent security advantages — but also have serious gaps. Modern online fax services, when properly configured, are among the safest ways to transmit sensitive documents. Understanding the difference can save you from an expensive data breach.

Bottom Line

Online fax from a reputable provider (TLS 1.3 + AES-256 + BAA) is more secure than standard email for sensitive documents. Traditional fax machines are not encrypted and carry physical document risks. Which you should use depends on your security requirements.

Traditional Fax: What Protects It

Traditional fax transmits data over the Public Switched Telephone Network (PSTN) — the analog phone grid. This creates a few inherent security properties:

Point-to-point transmission. Unlike email, which bounces through multiple relay servers, a traditional fax establishes a direct connection between sender and receiver. There are no intermediate servers storing or forwarding your document.

Not a common attack target. Intercepting an analog fax line requires physical access to telephone infrastructure — a splice on a specific copper wire. This is difficult, expensive, and leaves physical evidence. Casual or remote attackers cannot intercept a PSTN fax.

No persistent digital copy (in transit). The transmission itself leaves no file on a mail server or cloud storage. Once the call ends, there is no digital artifact to breach.

These qualities gave fax its reputation for security in the 1980s and 1990s — and in narrow contexts, they still hold. For a threat model where remote network intrusion is the primary concern, analog fax is notably resistant.

Traditional Fax: Where Security Breaks Down

The protections above come with significant caveats.

No encryption. Traditional fax machines transmit data as unencrypted analog signals. If someone does tap the phone line, they can reconstruct the document. There is no TLS, no AES — nothing.

VoIP undermines the PSTN assumption. Most telephone infrastructure has migrated from copper lines to Voice over IP (VoIP). When a fax travels over a VoIP network, it becomes internet data — and inherits internet risks including packet sniffing and man-in-the-middle attacks. The "physically tap the wire" protection disappears.

Physical document exposure. Printed faxes emerge from the output tray and sit there until someone picks them up. In a shared office, a hospital nursing station, or a law firm reception desk, that document is visible to anyone who walks by. This is how most real-world fax breaches happen — not wire taps, but unattended paper.

No audit trail. Who received the document? When? Did they read it? Traditional fax cannot answer these questions. For regulated industries, the absence of an audit trail is itself a compliance failure.

Misdirected fax. One transposed digit and your patient's lab results go to a stranger's machine. There is no recall, no unsend, no way to know who received it.

The Biggest Real-World Risk

Studies consistently find that misdirected fax — not interception — is the most common cause of fax-related data breaches. Always confirm the recipient's fax number before sending sensitive documents.

Online Fax: The Modern Security Standard

Online fax services replace the phone-line transmission with encrypted internet delivery. A well-built service adds multiple layers that traditional fax cannot offer:

Security FeatureTraditional FaxOnline Fax (Good Provider)
Encryption in transitNoneTLS 1.3
Encryption at restNoneAES-256
Audit trailNoYes — sender, recipient, timestamp
Access controlsNoYes — user permissions, 2FA
HIPAA BAA availableNoYes (required for PHI)
Delivery confirmationPaper report onlyDigital receipt with timestamp
Document retrievalPhysical paperSecure web portal

The critical word is good provider. Not every online fax service implements security correctly. When evaluating a provider, check for:

  • TLS 1.3 for data in motion (not just "SSL" — that's outdated marketing language)
  • AES-256 for documents stored on their servers
  • Business Associate Agreement (BAA) — mandatory if you handle PHI under HIPAA
  • SOC 2 certification or equivalent infrastructure audit
  • Zero-retention option — some providers delete documents after delivery rather than storing them indefinitely

For a detailed breakdown of what HIPAA technically requires, see our HIPAA fax requirements checklist.

Fax vs. Email: Which Is More Secure?

For most sensitive documents, online fax beats standard email. Here is why:

Email was not designed with security in mind. A typical email passes through 3–5 relay servers before reaching the recipient, and each hop can store a copy. Standard SMTP has no mandatory encryption — your email may travel in plaintext across parts of the internet without you knowing. Copies sit in sent folders, inbox archives, and potentially backups indefinitely.

Online fax creates a direct, verified delivery path. The recipient's fax number routes to a specific machine or inbox — not a shared mail server. Delivery is confirmed, timestamped, and logged. For legal and healthcare use cases where delivery proof matters, this is a meaningful advantage.

The comparison changes if your email uses end-to-end encryption (S/MIME or PGP) — in that case, encrypted email and encrypted online fax are roughly equivalent. But standard business email, without explicit encryption configuration, loses to reputable online fax.

For a deeper comparison, see our guide on online fax security.

5 Best Practices for Secure Faxing

Whether you use traditional or online fax, these practices reduce your exposure:

  • ✓Verify the fax number before every send. Misdirected fax is the most common breach vector. Confirm once, then confirm again for anything sensitive.
  • ✓Use a cover sheet with a confidentiality notice. State that the document contains confidential information and provide a return contact if received in error. Our free cover sheet generator includes this language automatically.
  • ✓Never leave printed faxes unattended. Retrieve received faxes immediately. In healthcare or legal environments, route incoming faxes to a private printer or a secure digital inbox.
  • ✓Choose a provider that signs a BAA. For any document containing PHI, a Business Associate Agreement is not optional — it is a legal requirement under HIPAA.
  • ✓Enable two-factor authentication. For online fax accounts, 2FA prevents unauthorized access even if your password is compromised.

Choosing the Right Solution

For individual or occasional use — sending a tax form, a signed contract, a medical record — the mFax app gives you encrypted fax from your phone in under two minutes. No fax machine, no trip to a store.

For businesses, healthcare providers, or legal teams with ongoing fax needs, mFax Business adds the full compliance stack: HIPAA-ready infrastructure, a signed BAA, team accounts, audit logs, and virtual fax numbers — starting at about $9/mo (billed annually). Instead of locking you into rigid fixed tiers, you build your own plan with a live calculator — choose exactly the seats and pages you need and pay only for what you use.

Both options are significantly more secure than sending a document to an unmonitored office fax machine and hoping the right person picks it up.

For a comprehensive look at how fax security has evolved, read our full guide: Is Fax Still Secure? The Complete Answer.

Frequently Asked Questions

Is fax more secure than email?

Modern online fax is more secure than standard email for sensitive documents. Email passes unencrypted through multiple relay servers and stores copies at each hop. A reputable online fax service uses TLS in transit and AES-256 at rest, with a direct verified delivery path and no persistent intermediate copies.

Can faxes be intercepted?

Traditional analog fax can theoretically be intercepted by physically tapping a phone line — but this requires direct physical access to telephone infrastructure and leaves evidence. Online fax encrypted with TLS 1.3 cannot be intercepted in transit without the encryption key. The far more common real-world risk is misdirected fax due to a wrong number.

Is faxing safe for personal information?

It depends. Traditional fax has no encryption and exposes printed documents. Online fax from a provider using TLS + AES-256 is safe for sensitive information including medical records and financial documents — provided you verify the recipient number and use a provider with strong security practices.

What makes an online fax service secure?

The minimum bar for sensitive documents: TLS 1.3 in transit, AES-256 at rest, access controls, audit trails, and a BAA for HIPAA-covered use cases. mFax Business meets all of these standards.

Is traditional fax HIPAA compliant?

No — not automatically. Traditional fax machines lack encryption, produce unsecured printed output, and provide no audit trail. To meet HIPAA requirements, organizations must use an online fax provider that signs a BAA and implements the required technical safeguards. See our HIPAA compliant fax guide for the full requirements.

Frequently Asked Questions

Is fax more secure than email?
For sensitive documents, yes — modern online fax is more secure than standard email. Email passes unencrypted through multiple relay servers and stores copies at each hop. A reputable online fax service uses TLS encryption in transit and AES-256 at rest, creating a direct verified delivery path with no persistent intermediate copies.
Can faxes be intercepted?
Traditional analog fax can theoretically be intercepted by physically tapping a phone line — though this requires significant resources and physical access to telephone infrastructure. Online fax encrypted with TLS 1.3 cannot be intercepted in transit. The more common real-world risk is misdirected fax — one wrong digit sends sensitive documents to the wrong recipient entirely.
Is faxing safe for sensitive personal information?
It depends on the method. Traditional fax over analog lines has no encryption, and printed output sits exposed in a paper tray. Online fax from a reputable provider (with TLS + AES-256 encryption) is safe for sensitive information including medical records, legal documents, and financial forms. Always confirm the recipient's number before sending.
What makes an online fax service secure?
Look for TLS 1.3 encryption in transit, AES-256 for stored documents, a Business Associate Agreement (BAA) for HIPAA-covered entities, access controls and audit logs, and a clear data retention policy. Services like [mFax Business](https://mfax.to/business/) include all of these out of the box.
Is traditional fax HIPAA compliant?
Traditional fax machines are not automatically HIPAA compliant. They lack encryption, produce unsecured printed output, and provide no audit trail. To meet HIPAA requirements, organizations must use an online fax provider that signs a BAA and implements required technical safeguards.
Home Business Pricing Fax API Blog Document Converter Company
Terms of Service Privacy Policy