Skip to main content

Security best practices in contact creation

Using open web forms to add contacts to a database comes with inherent risks, ranging from malicious attacks that exploit vulnerabilities, to attempts to disrupt businesses. This article examines how you can mitigate these kinds of risks and uphold the integrity and security of your Engage account.

Open sign-up forms and the Engage API

Access to the Engage API using your API key should, like any online service, be handled in a safe and secure way. For example, if you have created an open online sign-up form, this could be abused by a malicious actor to register non-existing contacts. And as long as the sign-ups from that form don’t exceed the API’s rate limit, Engage has no way to tell that these are not legitimate contacts.

This clearly causes other problems: polluting your contact pool with fake accounts, skewing your BI reports, and opening the possibility of sending out SMS to these fake contacts (if you have set up automations to do this) which can incur actual costs.

Therefore this safety aspect needs to be considered and planned for.

Mitigating risks

Here's how to think, prepare and act concerning these kinds of risks.

Identify the entry points

Start by identifying all the various entry points that malicious entities can exploit, including custom-built forms, API integrations, and third-party tools used for data collection.

Minimize the influx of bad entries

Keep an eye on your contact database growth in the Engage dashboard or through reports. This will allow you to spot abnormal growth rates in your database.

Implement data validation techniques to verify the authenticity of personal information and data points. See the contact field definitions.

Use unique identifiers, such as email addresses and mobile phone numbers, to prevent duplication of contacts and enforce data integrity. Check with your Voyado team to ensure that those identifiers are actually set to be unique in your Engage environment.

Cross-reference new contact registration with those already existing to detect potential duplicates or suspicious entries. See this article on identifying contacts.

Implement CAPTCHA mechanisms and double opt-in processes (see more here) to add an additional layer of security and verification for sign-ups.

Reduce the costs of bad SMS send-outs

Implement a whitelist on registration forms to validate phone numbers based on specified country codes. This will reduce the likelihood of sending SMS to erroneous or international numbers. Ask your Voyado team to help you configure this.

Use segmentation in automation processes to target specific audiences, which minimizes the risk of unnecessary SMS dispatches.

Consider buying prepaid packages of SMS messages, creating a ceiling on the number that can be sent out per month. This helps minimize losses in the event of a malicious incident.


By sticking to these best practices and being vigilant about potential security threats, you can maintain the integrity of your contact database. Proactive measures, coupled with continuous monitoring and adaptation, are key to mitigating these risks and ensuring a secure onboarding and contact creation process.