Your Fax Machine Might Be the Biggest Hole in Your Security

Why the ‘security’ of fax is mostly a myth—and what actually matters for protecting counterparty communications

At DEF CON 26 in 2018, security researchers from Check Point demonstrated something that should have ended the ‘fax is secure’ debate permanently. They showed that with nothing more than a target’s fax number—publicly available for most organizations—an attacker could compromise an entire corporate network. The vulnerability, dubbed ‘Faxploit,’ exploited flaws in the ITU T.30 fax protocol that hadn’t been updated since the 1980s.

The attack was dead simple. Send a malformed fax image containing malicious code. When the fax machine receives it, the image is automatically decoded and uploaded into memory. From there, the researchers deployed EternalBlue—the same exploit behind WannaCry—and spread through the network. No phishing email required. No tricking an employee into clicking a link. Just a fax number.

Here’s the part that should concern every operations manager still fielding arguments about fax being ‘more secure’: no security software scans incoming faxes. There’s no firewall equivalent for fax traffic. Prevention, as the researchers put it, is ‘almost impossible’ without patching individual devices—devices that, in most organizations, sit forgotten on the network.

The Myth That Won’t Die

We hear it constantly from prospective clients: ‘We prefer fax because it’s more secure.’ The reasoning usually goes something like this: fax travels over phone lines, not the internet, so it can’t be intercepted. It’s point-to-point. It’s been used for sensitive documents for decades.

There’s a kernel of truth here. Traditional analog fax over PSTN (plain old telephone service) does have some genuine security properties. The transmission is point-to-point and doesn’t traverse the open internet. Man-in-the-middle attacks require physical access to the phone line. And fax machines aren’t susceptible to phishing.

But here’s what that argument misses: almost nobody is using traditional analog fax anymore. Modern fax machines are network-connected devices running embedded software that rarely gets patched. Fax-over-IP sends data across the internet just like email. And even when the transmission itself is secure, the endpoints often aren’t.

The security of your communications doesn’t depend on which protocol you use for transmission. It depends on how that communication is received, processed, stored, and tracked.

The Attack Surface Problem

Think about what happens when a counterparty sends you a document via fax versus TLS-encrypted email.

With properly configured TLS email, the document arrives encrypted in transit, lands in a managed email system with access controls and logging, and can be routed directly into workflow automation. One hop. One system. One audit trail.

With fax, the document hits a fax machine or server—often an unpatched device sitting on your main network segment. If it’s a physical machine, paper sits in the tray until someone retrieves it. Then someone scans it back into digital form. Then someone manually enters the data or routes it to the right person. Each step is a potential failure point. Each step is an opportunity for documents to be lost, misfiled, or accessed by the wrong person.

Security professionals call this ‘attack surface’—the sum of all the points where an unauthorized user could access your systems or data. A larger attack surface means more potential vulnerabilities. Fax doesn’t reduce your attack surface. It expands it by adding devices, physical documents, and manual processes that wouldn’t exist with direct digital communication.

A fax that lands on an unpatched machine on your main network, gets printed, sits in a tray, gets scanned by a temp worker, and ends up in an unencrypted folder is not secure—regardless of how it was transmitted.

What a Ferrari Pit Crew Taught Surgeons About Handoffs

In the late 1990s, Great Ormond Street Hospital in London had a problem. Their pediatric cardiac surgery unit was experiencing unacceptably high error rates during patient handoffs—the critical transition from operating theatre to intensive care. The surgical outcomes were excellent. But something was going wrong in the handover.

Two surgeons, Dr. Martin Elliott and Dr. Allan Goldman, were watching Formula 1 on television after a long day when something clicked. A pit crew changes tires, refuels, and gets a car back on track in under seven seconds with zero errors. The same team does this repeatedly under intense time pressure. Why couldn’t a surgical handoff work the same way?

They called Ferrari. And Ferrari invited them to Maranello.

When Ferrari’s engineers reviewed videos of the hospital’s handoff process, their assessment was blunt: shoddy, noisy, uncoordinated, with no clear leadership. The pit crew, in contrast, had defined roles, choreographed positions, a single person in charge (the ‘lollipop man’), and communication protocols practiced until they became automatic.

The hospital adopted the pit crew’s methodology. They assigned the anesthetist as team lead. They defined specific roles and positions. They implemented checklists and structured handoffs. The results: technical errors dropped by 42%. Combined equipment and information errors fell from 30% to 10%.

The lesson wasn’t about any single piece of equipment or any individual’s skill. It was about the process. Chaos kills. Structure saves.

The Real Problem with Fax Isn’t Security—It’s Chaos

Every day, broker-dealer operations teams deal with the equivalent of that hospital’s chaotic handoff process. Documents arrive via fax from dozens of counterparties. Someone has to retrieve them. Someone has to figure out what they are and where they go. Someone has to enter data into systems. Someone has to track whether responses were received. Someone has to find the document again when auditors come calling.

There’s no lollipop man. There’s no defined process. There’s no single source of truth.

When your counterparty sends a Letter of Free Funds via fax, what happens? Maybe it gets printed. Maybe it sits in a digital queue. Maybe it gets processed that day. Maybe it doesn’t. Maybe someone manually enters the account number correctly. Maybe they transpose two digits. Maybe the response gets tracked in a spreadsheet. Maybe it doesn’t.

And when the examiners show up asking about your Regulation T compliance, you need to prove what was verified, when, by whom, and what the response was. Good luck reconstructing that from a pile of faxes and a spreadsheet maintained by someone who left the firm two years ago.

What Actually Matters for Secure Operations

The fax-versus-email debate is a distraction. What matters is whether your communications infrastructure—whatever protocols it uses—provides:

Encryption in transit and at rest. Documents should be protected whether they’re moving or sitting in storage. TLS handles transit. Your platform should handle the rest.

Immutable audit trails. You need to prove who sent what, when it was received, who processed it, and what the outcome was. SEC Rule 17a-4 requires it. Examiners expect it. A fax log doesn’t cut it.

Centralized tracking and workflow automation. Documents should route automatically to the right people. Exceptions should surface. Nothing should fall through the cracks because someone was on vacation.

Access controls. Only authorized personnel should see sensitive documents. That’s hard to enforce when paper sits in a shared fax tray.

Tested security. Not ‘we assume it’s secure because we’ve always done it this way,’ but actually tested by people trying to break it.

A Platform That Handles Both—Securely

At Loffa Interactive Group, we’ve spent 20+ years building infrastructure for broker-dealer communications. We understand that you can’t just tell your counterparties to stop faxing. Some will. Some won’t. You need a platform that handles both fax and email, centralizes everything, and applies consistent security and workflow controls regardless of how documents arrive.

Our products—FVD for free funds verification, PBIN for prime brokerage documentation, QBS for quarterly broker statements—all work this way. Documents come in however they come in. The platform handles routing, tracking, and response management. Everything gets logged. Everything gets stored in compliance with 17a-4. When examiners ask questions, you have answers.

We don’t just claim to be secure. We prove it. This year alone, we’ve been audited by over 20 major Wall Street brokers. We’ve passed customer penetration tests, third-party pen tests, code reviews, backup verification, SOC 2 Type II audits, and SOC 1 audits. Our CVE monitoring catches vulnerabilities before they become problems. We operate in the most demanding vendor risk environments on Wall Street because our clients’ data security is foundational to our business model.

The question isn’t whether to use fax or email. The question is whether your communications infrastructure has the controls, audit trails, and security testing that modern operations require. If your current process involves paper in trays, spreadsheets for tracking, and a prayer that nothing falls through the cracks, it doesn’t matter how ‘secure’ you think fax transmission is. Your process has gaps.

Time to Rethink the Handoff

Great Ormond Street Hospital didn’t improve outcomes by arguing about which brand of surgical equipment was best. They improved by redesigning their process—bringing structure to chaos, defining clear roles, and building systems that surfaced problems instead of hiding them.

Your operations deserve the same approach. If you’re still debating fax versus email, you’re asking the wrong question. Ask instead: does our process have a lollipop man? Is there a single source of truth? Can we prove compliance when asked? Are we actually secure, or do we just assume we are because we’ve always done it this way?

If you’d like to see what structured, tested, audit-ready communications infrastructure looks like, we’d be happy to show you.

This post is for informational purposes only and does not constitute legal or security advice. For guidance on specific regulatory obligations or cybersecurity practices, consult your counsel, compliance advisor, or security team.