diff --git a/Gemfile b/Gemfile
index 15302537..f5fb5506 100644
--- a/Gemfile
+++ b/Gemfile
@@ -65,6 +65,7 @@ group :development, :test do
 end
 
 group :development do
+  gem 'brakeman', '~> 6.0'
   gem 'capistrano', '~> 3.17.1', require: false
   gem 'capistrano-bundler', '~> 1.6', require: false
   gem 'capistrano-rails', '~> 1.4', require: false
@@ -73,10 +74,10 @@ group :development do
   gem 'capistrano-rvm', require: false
   # Access an interactive console on exception pages or by calling 'console' anywhere in the code.
   gem 'listen', '>= 3.0.5', '< 3.2'
-  gem 'web-console', '>= 3.3.0'
   # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring
   gem 'spring'
   gem 'spring-watcher-listen', '~> 2.0.0'
+  gem 'web-console', '>= 3.3.0'
 end
 
 group :test do
diff --git a/Gemfile.lock b/Gemfile.lock
index 13ed3b29..bdf2f49e 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -76,6 +76,7 @@ GEM
       autoprefixer-rails (>= 9.1.0)
       popper_js (>= 1.14.3, < 2)
       sassc-rails (>= 2.0.0)
+    brakeman (6.0.1)
     builder (3.2.4)
     byebug (11.1.3)
     capistrano (3.17.3)
@@ -372,6 +373,7 @@ DEPENDENCIES
   bcrypt_pbkdf
   bootsnap (>= 1.1.0)
   bootstrap (~> 4.4.1)
+  brakeman (~> 6.0)
   byebug
   capistrano (~> 3.17.1)
   capistrano-bundler (~> 1.6)
diff --git a/app/models/submitter.rb b/app/models/submitter.rb
index 3022c306..6c5584e0 100644
--- a/app/models/submitter.rb
+++ b/app/models/submitter.rb
@@ -5,7 +5,7 @@ class Submitter < ApplicationRecord
   validates :first_name, presence: true
   validates :last_name, presence: true
   validates :mailing_address, presence: true
-  validates :phone_number, presence: true, format: { with: /\d{3}-\d{3}-\d{4}/, message: 'Please use the format 111-111-1111' }
+  validates :phone_number, presence: true, format: { with: /\A\d{3}-\d{3}-\d{4}\z/, message: 'Please use the format 111-111-1111' }
   validates :email_address, presence: true, format: { with: URI::MailTo::EMAIL_REGEXP, message: 'Please enter a valid email' }
 
   def self.to_csv
diff --git a/spec/models/submitter_spec.rb b/spec/models/submitter_spec.rb
index 8e577f84..12473b59 100644
--- a/spec/models/submitter_spec.rb
+++ b/spec/models/submitter_spec.rb
@@ -26,18 +26,32 @@
     expect(subject).to_not be_valid
   end
 
+  it 'is valid with a properly formatted phone_number' do
+    subject.phone_number = '111-111-1111'
+    expect(subject).to be_valid
+  end
+
   it 'is not valid without a phone_number' do
     subject.phone_number = nil
     expect(subject).to_not be_valid
   end
 
-  it 'is not valid without a email_address' do
-    subject.email_address = nil
-    expect(subject).to_not be_valid
+  it 'is not valid with an improperly formatted phone_number' do
+    [
+      '1111111111',       # no dashes
+      '111-1111-1111',    # too many digits
+      '11-111-1111',      # too few digits
+      '111-111-1111abc',  # additional characters
+      'abc111-111-1111',  # additional characters
+      '1-111-111-1111'    # too many sections and digits
+    ].each do |invalid_number|
+      subject.phone_number = invalid_number
+      expect(subject).to_not be_valid, "Expected #{invalid_number} to be invalid"
+    end
   end
 
-  it 'is not valid without a formatted phone_number' do
-    subject.phone_number = '1111111111'
+  it 'is not valid without a email_address' do
+    subject.email_address = nil
     expect(subject).to_not be_valid
   end