For those who don’t know, it’s where someone takes a QR code like on a poster for a concert and puts a sticker with a different QR code on top to a fake website that looks like the concert website (or a Rick Roll).
The obvious answer is to scratch off the QR code if you notice it’s a sticker, but It’s not always acceptable -or legal- to start damaging stuff to check if it’s real or not. Also what if it’s out of reach on a sign or something?
You can’t put a little text under saying what the website is as a sort of checksum because the vandal can just write their own website under their sticker.
Browsers should probably warn if a site on which you are filling forms with personal information or payment methods have been issued with KYC or not. And clearly state to whom physical persona or enterprise that certificate was issued.
Though I worry about the barrier from many people to get those certificates and then privacy concerns. It’s a balance between privacy and democracy and fighting scams. My guess is that browsers should only warn in certain websites, but in which websites and how to detect them… That eludes me, seems complex.