As far as I know, the options are:

• Use a QR reader app that doesn’t auto open links (or lets you configure it like that), so you see the URL and inspect it before opening the URL in the browser.
• In case of a short URL, use a short URL resolver so you can see what is the real destination without actually opening the URL yourself.
• Using a DNS with block lists (that are updated often) of known phishing sites.

If these 3 checks fail, there is not much more you can do.