I hadn't really heard much about this but apparently four out of five results returned when asking Google for a 'bitcoin qr generator' lead to scam websites. The sites then generated a QR code that encodes an address controlled by the scammers instead of the one necessary for the user.
Apparently instead of scammers making their own fake QR codes they have a blockchain explorer API to generate the QR for their address.

This scam falls into the reported $4 billion of digital currency stolen in Ciphertrace AML report.

https://www.forbes.com/sites/billybambrough/2019/09/12/researchers-have-issued-a-serious-bitcoin-qr-code-warning/#3ef6ff256d12