Eight out of ten mistyped URLs lead to typosquatting sites, says Sophos, after a marathon experiment in bad typing.
The security firm traced every possible one-character typo for the Facebook, Google, Twitter, Microsoft, Apple and Sophos homepages.
These included omitting one letter, for example Sopos; mistyping one letter, for example Spphos; and adding one letter, for example Ssophos. They checked 1,502 websites and 14,495 URLs in total.
And while some of these turned out to be real sites - racebook.com, for example, is a betting site - a full 80 percent were typosquatted - indeed, the figure for variants of the Apple homepage was 86 percent.
Typosquatters aim to make money from traffic directed to these sites by typing mistakes, sometimes through click revenue, sometimes through more nefarious means.
According to Sophos, the greatest proportion - 15 percent - led to advertising sites. Twelve percent were found to be IT & hosting pages, implying that someone's registered them in the hope of selling them on at a later date.Just over one in 20 was classified as cybercrime or adult.
The vast majority - 64 percent - of squatted domains were hosted in the US, with Germany and China trailing at 4.6 percent and 4.1 percent respectively.
"It's so easy to mistype a URL, and it's inevitable that from time to time you will end up on an unintended website. In the worst cases, careless typing can lead you to a criminal website designed to steal your identity or phish your credentials," says Graham Cluley, senior technology consultant at Sophos.
"A good idea is to bookmark your favourite websites rather than rely upon your fingers working correctly."