It depends on the QR code:

1. Static QR codes displayed by the vendor have the problem you describe.

2. Dynamic QR codes are time limited, have the amount embedded in them along with the destination. These are the ones generated by websites or POS terminals for payment. Most people will only use these at a POS terminals, pay and move on.

Fraudulent websites have used static QR codes but I'm told one can dispute the transaction and the amount is usually reversed in a couple of days.