"The safer thing to do..."
This QR code problem is just a sub-set of a wider problem. Marketing engage "specialist" digital marketing companies to handle this for them. These companies are never going to get access to the client's domain so they either set up a domain that includes their client's name or just use their own. And that applies not just to promotional websites but also email shots, surveys - anything and everything. This trains the general public into accepting anything that claims to come from their bank, their govt, their sauce maker or anyone else actually is from them and clicking without a second thought.
It really needs to be a sackable offence to commit any digital marketing initiative without getting sign-off from IT security.