Criminals have realized that QR codes are not human readable and are taking advantage. Shocking isn’t it? From The Register:
Cybercrooks are putting up stickers featuring URLs embedded in Quick Response codes (QR codes) as a trick designed to drive traffic to dodgy sites.
It’s extremely simple to print out a sticker pointing to a bogus URL and put it on an existing billboard in a public place. A casual user simply uses the QR code and instead of going to the intended location they go to a malicious website. Of course we could require SSL for QR codes so there’s some overhead in creating them (you need an SSL cert), but that still wouldn’t fix the problem correctly.
Humans need to be able to understand their own decision making process. A human pointing at a QR code is a human making a decision to do the unknown. That’s the problem. You can’t combine “decision” and “unknown” and reliably have a good outcome.