Facebook users think that preview data shown by Facebook is reliable, and will click the links they are interested in, which makes them easily targeted by attackers that abuse this feature in order to perform several types of attacks, including phishing campaigns/ads/click fraud pay-per-click. Facebook does not validate if the link mentioned in ‘og:url’ meta tag is same as the page URL, allowing spammers to spread malicious web pages on Facebook with spoofed URLs. The social media giant refused to recognise it as a security flaw and referred that Facebook uses “Linkshim” to protect against such attacks.
Source: https://thehackernews.com/2017/10/facebook-link-spoofing.html