QR code based payment systems have been widely used across Asia for well over a decade. That doesn't stop randos on HN from middlebrow fear mongering.

The QR code doesn't open a link. It's just "gibberish" text only usable by app that can understand it (e.g. banking apps).

(I don't know anything about UPI, but in Indonesia we use a similar system)

It depends on the QR code:

1. Static QR codes displayed by the vendor have the problem you describe.

2. Dynamic QR codes are time limited, have the amount embedded in them along with the destination. These are the ones generated by websites or POS terminals for payment. Most people will only use these at a POS terminals, pay and move on.

Fraudulent websites have used static QR codes but I'm told one can dispute the transaction and the amount is usually reversed in a couple of days.