I saw this on a First Capital Connect train here in the UK. What could possibly go wrong?
Ignoring the horrible marketing-speak “Engage with this poster” header, several things can go wrong. I didn’t have NFC, so I couldn’t try that out. But scanning the QR code took me to http://kbhengage.zpt.im/u/aCq58 which, at the time, was advertising for… Just Eat. Not villaplus.com. Oops.
Similarly, texting “11518” to 78400 produced:
Thanks for your txt, please tap the link: http://kbhengage.zpt.im/u/b6q58 Std. msg&data rates may apply Txt STOP to end Txt HELP for help
which also produced content which did not match the displayed poster.
So clearly, the first risk is that the electronic interactive bits are not part of the posters themselves, and so the posters can be changed without the interactive parts being updated to match.
But also, there’s the secondary risk of QR codes – they are opaque to humans. Someone can easily make a sticker and paste a new QR code on top of the existing one, and no-one would see anything immediately amiss. But when you tried to “engage with this poster”, it would then take you to a website of the attacker’s choice.