When you scan a QR Code you don’t always know where you’ll end up. So you could end up on a web page that includes malicious code. This process is called QRishing.
Safe QR Code scanners typically check a database of malicious sites and if the destination site is not in the database the site is deemed to be safe. If the site is in the database, the user gets a warning message first at which point they can decide to visit the site or not.
Sophos, a British security software company is currently offering a free QR Code scanner called Sophos Intercept X to Android and iPhone users that you can get from the relevant App Store. I’ve used the app on an iPhone and whilst it is good for scanning QR Codes that direct you to a URL, the scanner doesn’t work well with QR Codes that generate email messages.
How big is the current risk? It’s hard to say but a point to bear in mind is that at the moment people click links very liberally all over the internet without knowing where they are going and that activity is not risk free either. Good and improving browser technology is steadily reducing the risks associated with landing on malicious sites and most QR Code scanners launch standard browsers.
In other words, you are to some degree protected by the browser software your QR Code scanner launches.