How Scan to Email is a Security Risk

Using multi-function copy/scan/fax machines to send scanned documents directly to an email recipient has security downsides. Learn about alternate ways to more securely accomplish this.

How To Scan a Document To E-mail.

Scan to E-mail

Many organizations have their multi-function copy/scan/fax machines configured to send scanned documents directly to an email recipient. This article discusses the security downsides of that process and gives alternate work arounds.

We’ve all done it. A client needs a document that we have in hard copy. We walk to the copy machine and use the Scan to Email function to send the document directly to the client’s email address. The client gets an ugly looking email with an automated subject line (who likes to type on the copy machine keypad?) with the PDF as an attachment. Besides looking terrible, there’s also a security risk with this practice.

Security Risk

We are moving into a digital age where identity is of key importance. In order for a copy machine to send email, we are forced to allow the copy machine to impersonate a user. When a machine impersonates a user, security holes need to be punched in your defenses, making it easier for an attacker to gain a foothold. Secondly, most copy machine manufacturers focus their efforts on print/scan functionality, not security. Because of this, firmware updates are generally few and far between.  


There’s always a balance between security and productivity. You still have a hard copy document that needs to get securely to the customer. We recommend the following process:

  1. Scan document to file storage (this could cloud storage or local file server)
  2. Walk back to your desk and send a link to the document to your customer.  

Why to Send a Link Instead of the Actual Document

A common tactic that bad actors use is to gain access to an email inbox (average hacker’s “dwell time” in an email inbox is 200 days!) so they can get access to your sent items and other emails that contain attachments with sensitive information that they can use to steal additional information.  

When we use a file sharing service (Microsoft OneDrive, Box, Citrix Files etc) to send a link to the sensitive information, we control the information. On those links, we can set controls like number of times the file can be accessed, how long the link is valid etc. By keeping control of the actual data, we remove much of the risk involved with sending sensitive data.  

Next Steps

Reach out today to have us help you develop a secure data process!  We can help you learn the status of your security and where improvements can be made; give us a call and we’ll be glad to assist. Learn about how Philantech3 is keeping your business safe in a continually shifting environment.

Image by mohamed Hassan from Pixabay

Information Technology Aligned With Your Business Goals?
Philantech3 is a complete IT services & IT support company working with organizations in Spokane.