Fake quick-response (QR) codes used by a contact-tracing program were hijacked by a man who slapped up scam QR codes on top to redirect users to an anti-vaccination website. He now faces two counts of obstructing operations carried out relative to COVID-19 under the Emergency Management Act. No personal data was breached, but the incident highlights that truly all an attacker needs is a printer and a pack of Avery labels to do real damage. QR codes are not human-readable and therefore nearly impossible to detect if the quick-read code directs the user is safe or malicious.
Source: https://threatpost.com/anti-vaxxer-hijacks-qr-codes-covid19/165701/