True, but in general the QR -> link thing you mentioned is genuinely a nightmare. Especially when it also passes through a URL shortener first. I've seen that happen all the time. They use these QR code SaaS things that put their own short URL in the actual QR. This lets you change the URL even after you've sent the QR to others. But phishing-wise it's a nightmare as you can imagine.