I don't much use QR codes, but when I want to go to a URL I got in email, and it looks like that, even if the email otherwise seems legit, I just type in the URL to the real site directly. Clicking on such a link feels like deliberately falling for a phish.