How to Send a W-9 to a Client: 3 Secure Ways (2025 Guide)
Learn how to send a W-9 to a client the secure way. Compare 3 methods - encrypted portal, encrypted email, and password PDFs - in this 2025 step-by-step guide.
How to Send a W-9 to a Client: 3 Secure Ways (2025 Guide)
Quick Answer: The Safest Way to Send a W-9 in 2025
Use an encrypted upload portal with automatic expiration and audit logs. This method encrypts the W-9 in your browser before transmission, avoids email inbox exposure, provides a complete audit trail, and automatically deletes files after a set period—protecting both you and your client from data breaches.
Sending a W-9 seems simple—until you realize it contains a taxpayer identification number that criminals actively target. Whether you're a freelancer, contractor, or business owner, the way you transmit this sensitive form can mean the difference between professional security and exposing your client to identity theft.
Form W-9 requests your legal name, business name, address, and most importantly, your Taxpayer Identification Number (TIN)—usually your Social Security Number or Employer Identification Number. This is exactly the information fraudsters need to file false tax returns, open credit accounts, or commit financial fraud.
In 2024 alone, the FTC received over 1.1 million identity theft complaints, representing a 9.5% increase from the previous year. Total fraud losses reached $12.5 billion, up 25% from 2023. With stakes this high, choosing the right transmission method isn't optional—it's critical.
This guide compares three methods for sending W-9s to clients, ranked by security level, and provides step-by-step instructions for the safest approach.
Method 1: Encrypted Portal (Most Secure) ✅ Recommended
An encrypted upload portal is the safest and most professional way to send a W-9 to a client in 2025.
Why This Method Is Best
Unlike email, an encrypted portal ensures your W-9 never sits in vulnerable inboxes or email server backups. Instead, the document is:
- Encrypted in your browser before it leaves your device (client-side encryption)
- Transmitted securely via HTTPS with end-to-end protection
- Stored encrypted with automatic expiration (typically 30 days)
- Tracked completely with audit logs showing who accessed what and when
- Accessible only by authorized recipients with secure authentication
The IRS Publication 4557 on Safeguarding Taxpayer Data explicitly cautions against sending sensitive data by email and recommends encrypted transmission methods like secure file transfer protocols.
Best Practice
Best Practice: Always use a secure link with client-side encryption when sending taxpayer identification numbers. It's the safest and most professional option for protecting your clients' sensitive data.
How It Works: Step-by-Step
Sending a W-9 via Encrypted Portal
Generate Secure Link
Create a unique upload link that encrypts the W-9 client-side before it ever leaves your computer
Send to Client or Requester
Share the link via email or text. They don't need an account or login to access it
Upload W-9 Securely
The form is encrypted in your browser and stored securely with automatic expiration
Receive Instant Notification
The client is alerted the moment the file is uploaded—no inbox searching or lost attachments
Download Encrypted File
Client accesses and decrypts the file with their authorized account, including a full audit trail
Key Security Advantages
No Email Exposure
W-9 never sits in email inboxes or server backups where breaches commonly occur
Client-Side Encryption
File is encrypted in your browser before transmission using TweetNaCl XSalsa20-Poly1305
Automatic Expiration
Documents auto-delete after 30 days, minimizing long-term data retention risks
Complete Audit Trail
Track every upload, download, and access attempt for IRS compliance documentation
No Account Required
Recipients upload via simple link—no passwords or account creation needed
IRS Compliance Ready
Meets IRS safeguarding requirements with encrypted transmission and access logs
Best Use Cases
- Sending W-9s to clients regularly (accountants, bookkeepers, AP teams)
- Handling sensitive taxpayer data professionally
- Organizations needing audit trails for compliance
- Businesses that prioritize data security
Cost: Typically $15-50/month for professional services (often includes unlimited secure requests)
Method 2: Encrypted Email (Medium Security)
Encrypted email is better than plain email but still carries significant risks due to inbox compromise vulnerabilities.
Learn more about why email is risky for W-9s in our comprehensive security guide.
How It Works
"Encrypted email" typically means one of two things:
-
TLS encryption (Transport Layer Security) - Standard on Gmail, Outlook, and most modern email providers. Encrypts messages as they travel between servers.
-
End-to-end encryption (S/MIME or PGP) - Requires both sender and recipient to have encryption keys configured. More secure but complex to set up.
The Inbox Compromise Problem
Even with encrypted transmission, your W-9 is fully readable to anyone who:
- Compromises the sender's email account
- Compromises the recipient's email account
- Gains access to email server backups
- Exploits email provider vulnerabilities
The Verizon 2024 Data Breach Investigations Report analyzed over 30,000 security incidents and found that email and phishing remain the dominant attack vectors for data breaches.
Critical Limitation
Encrypted email still exposes the W-9 if either inbox is compromised. Most breaches happen inside email accounts—not during transmission. The IRS specifically warns that tax professionals are explicit targets for email-based attacks designed to steal client data.
When to Use This Method
Acceptable for:
- Occasional W-9 transmissions (1-2 per month)
- Both parties use properly configured encrypted email
- No secure portal access available
- Low-volume, low-risk scenarios
Requirements:
- Verify both sender and recipient support encryption
- Use strong, unique passwords for email accounts
- Enable two-factor authentication on email accounts
- Delete emails containing W-9s after download
Step-by-Step for Encrypted Email
- Verify encryption support: Confirm your email provider uses TLS (most do by default)
- Attach W-9 as PDF: Use a descriptive filename like "W9_[YourBusinessName]_2025.pdf"
- Write clear subject line: "W-9 Form for [Your Name/Business]"
- Send and verify delivery: Confirm recipient received it
- Delete from sent folder: Remove the email from your sent items and trash after confirmation
Cost: Free (if using existing email)
Method 3: Password-Protected PDF (Low Security / Last Resort)
Password-protected PDFs offer limited protection and should only be used as a last resort when no better option exists.
Why This Method Is Weakest
While password protection sounds secure, it has critical vulnerabilities:
Security Depends on Password Strength
- Adobe's own documentation notes that PDF security "ultimately depends on password strength"
- Weak passwords (like "W9password" or "2025") can be brute-forced in minutes
- Many users choose simple passwords that are easy to crack
Same-Inbox Vulnerability
- If you email the PDF and the password through the same email account, an attacker who compromises that inbox gets both pieces immediately
- This completely defeats the purpose of password protection
Technical Weaknesses
- Some PDF password protections can be bypassed or removed using readily available tools
- Security researchers have demonstrated ways to inject malicious code into encrypted PDFs without knowing the password
How to Use This Method (If You Must)
If you absolutely must use password-protected PDFs:
Password-Protected PDF Best Practices
Create Strong Password
Generate a 12+ character password with mixed case, numbers, and symbols—never reuse passwords
Encrypt the PDF
Use Adobe Acrobat or similar tool to add password protection (not just 'security settings')
Send PDF via Email
Attach the encrypted PDF to email with clear subject line
Share Password Separately
Call the recipient on the phone or use end-to-end encrypted messaging (Signal, WhatsApp) to share the password—NEVER in the same email
Confirm Receipt and Deletion
Ask recipient to confirm they opened the file successfully, then delete the email from both sides
Cost: Free (built into most PDF tools)
Risk Level: High (especially if password is shared via email)
Security Comparison: Which Method Should You Use?
W-9 Transmission Methods Compared (2025)
| Feature | Encrypted Portal | Encrypted Email | Password PDF |
|---|---|---|---|
| Setup Complexity | Easy | Medium | Low |
| Transmission Security | End-to-End | Depends on Provider | Weak |
| Storage Security | Encrypted + Auto-Delete | Stored in Both Inboxes | Stored in Inbox |
| Automatic Expiration | ✅ Yes (30 days) | ❌ No | ❌ No |
| IRS Audit Trail | ✅ Full Logs | ❌ None | ❌ None |
| Client Experience | Simple Link | Requires Configuration | Confusing |
| Risk Level | Very Low | Medium | High |
| Best Use Case | Professionals | Occasional Sends | Last Resort |
| Inbox Compromise Risk | ✅ Eliminated | ❌ High | ❌ High |
| Cost | $15-50/month | Free | Free |
Which Method Should I Use? Decision Framework
Choose the right method based on your situation:
✅ Use Encrypted Portal If:
- You handle W-9s regularly (accountants, bookkeepers, AP teams, HR)
- You need audit trails for IRS compliance
- Client data protection is a business priority
- You want to eliminate email inbox risks entirely
- Recommended for: Professional services, accounting firms, businesses handling 5+ W-9s per year
⚠️ Use Encrypted Email If:
- You only send 1-2 W-9s per year occasionally
- Both you and the client use properly configured encrypted email
- A secure portal isn't available or accessible
- Only if: You understand and accept the inbox compromise risk
❌ Use Password-Protected PDF Only If:
- You're absolutely forced to by the client's requirements
- No other option is technically possible
- You can share the password via phone (NOT email)
- Last resort only: This method has the weakest security
Frequently Asked Questions
Sending W-9s to Clients: Common Questions
You can, but it's risky. W-9s contain SSNs or EINs, and email isn't encrypted end-to-end. If either inbox is compromised, the W-9 can be exposed. The IRS recommends encrypting sensitive data and suggests using secure file transfer methods instead of standard email. A secure upload link is safer and more professional.
Yes. The IRS requires you to maintain W-9 information for at least four years for future reference in case of any questions from the requester or the IRS. Use secure storage or a portal with audit logs to avoid losing track of documents and to meet compliance requirements.
It's better than plain email but still imperfect. Encrypted email protects transmission, but if either inbox is hacked, the attacker can still access the file. Email and phishing remain the dominant breach vectors according to Verizon's Data Breach Investigations Report. Use encrypted email only if a secure portal isn't available.
Password PDFs offer limited protection. Security depends entirely on using a strong password and sharing it through a separate channel. If you send the PDF and the password through the same email account, an attacker who compromises that inbox gets both. Additionally, weak PDF encryption can be broken with readily available tools.
A secure encrypted upload portal is the safest method. It prevents email exposure, adds automatic expiration, encrypts files in your browser using client-side encryption, and keeps complete audit logs for IRS compliance. This approach aligns with IRS guidance to use encrypted channels and secure file transfer instead of standard email.
No. Standard SMS messages are not encrypted, and attachments are stored insecurely on multiple devices. CISA's mobile communications guidance explicitly states that SMS is vulnerable to interception and compromise. Use a secure encrypted portal instead—never text sensitive taxpayer information.
No—redacting required fields can invalidate the form. The IRS requires providing your correct TIN and other mandatory information on Form W-9. Instead of redacting, focus on sending it securely using an encrypted method that protects the complete, valid form.
Yes. Most professionals increasingly rely on secure portals because they reduce identity theft risk, provide better tracking, and offer cleaner workflows than email chains. Clients who prioritize data security appreciate the extra protection, and the IRS encourages businesses to safeguard taxpayer information using secure transmission methods.
Why Data Security Matters: The Real Costs
The stakes for mishandling W-9s extend far beyond inconvenience. See our complete guide to W-9 security best practices for more details.
Consumer fraud losses increased 25% year-over-year
FTC complaints involving taxpayer ID numbers
IBM/Ponemon 2024 Cost of Data Breach Report
With taxpayer ID numbers as the primary target, every W-9 you send represents a potential identity theft risk. The IBM Cost of Data Breach Report found that the average global breach cost jumped 10% to $4.88 million in 2024—the largest increase since the pandemic.
Compliance Requirement
IRS Compliance Requirement: The IRS requires you to safeguard taxpayer information under Publication 4557 and the Safeguards Program. Using a secure, encrypted method demonstrates due diligence and reduces your liability in case of a data incident.
Best Practices for W-9 Security
Regardless of which transmission method you choose, follow these security fundamentals:
Before Sending
- ✅ Verify the requester's identity (confirm via phone if email seems suspicious)
- ✅ Use a descriptive filename: "W9_[YourBusinessName]_2025.pdf"
- ✅ Double-check the recipient's email address for typos
- ✅ Never reuse the same W-9 password for multiple clients
During Transmission
- ✅ Use the most secure method available to you
- ✅ If using email, enable two-factor authentication on your account
- ✅ If using password PDFs, share passwords via phone, not email
- ✅ Confirm successful delivery before considering the task complete
After Sending
- ✅ Delete emails containing W-9s from sent folder and trash
- ✅ Keep your own encrypted copy for your records (4-year retention)
- ✅ Document when and how you sent it for your audit trail
- ✅ Monitor for any suspicious activity on your accounts
The Professional Standard: Why Encrypted Portals Win
While encrypted email and password-protected PDFs can work in limited scenarios, professional accounting firms, bookkeepers, and AP teams have moved to encrypted upload portals as the standard for W-9 collection.
The reason is simple: encrypted portals are the only method that:
- Eliminates inbox exposure (the #1 breach vector)
- Provides automatic expiration (limits long-term risk)
- Creates audit trails (IRS compliance documentation)
- Encrypts client-side (true end-to-end protection)
- Requires no recipient accounts (simple UX for clients)
- Scales effortlessly (handles 1 or 1,000 W-9s equally well)
This isn't just about security—it's about professionalism. When you send a client a secure portal link instead of asking them to email their Social Security number as an attachment, you're demonstrating that you take their data protection seriously.
Stop sending W-9s via email
Start free with 20 secure uploads per month. No credit card required.
Trusted by 1000+ accounting professionals
Conclusion: Choose Security Over Convenience
Email is fast and familiar, but when handling documents that contain Social Security numbers and EINs, convenience isn't worth the risk.
The three methods ranked by security:
- 🏆 Encrypted Portal - Best practice for professionals (eliminates inbox risks)
- ⚠️ Encrypted Email - Acceptable for occasional use (inbox compromise risk remains)
- ❌ Password PDF - Last resort only (multiple weaknesses)
The IRS guidance on safeguarding taxpayer data is clear: encrypt sensitive information and avoid using standard email for transmission. NIST's security publications explicitly state that some sensitive information should never be sent by email at all.
Your clients trust you with their most sensitive information. Show them that trust is well-placed by choosing a transmission method that prioritizes their data security over your convenience.
The bottom line: If you handle W-9s regularly, invest in a secure encrypted portal. If you send them occasionally, use encrypted email with proper precautions. And if you're forced to use password-protected PDFs, share passwords via phone—never through the same email.
Try W9Vault's encrypted portal free and send your first secure W-9 request in under 5 minutes.
Last Updated: January 2025 | For IRS guidance, consult Publication 4557 and the IRS Safeguards Program. For NIST security guidance, see NIST Email Security publications.
