Use a QR reader app that doesn't auto open links (or lets you configure it like that), so you see the URL and inspect it before opening the URL in the browser.
In case of a short URL, use a short URL resolver so you can see what is the real destination without actually opening the URL yourself.
Using a DNS with block lists (that are updated often) of known phishing sites.
If these 3 checks fail, there is not much more you can do.
As far as I know, the options are:
If these 3 checks fail, there is not much more you can do.