A long standing Twitter issue allows bad actors to manipulate tweets so that they appear to contain content from one site, but link to a completely different one. This enables creating tweets that look like legitimate articles from well-respected sites, but actually link to pages serving phishing, malware, or scams. Facebook has the exact same problem, as in it only reads the tags and displays that on the cards, regardless of the actual website domain / title / etc. BleepingComputer has set up a proof-of-concept page that looks like Dropbox’s login panel.
Source: https://www.bleepingcomputer.com/news/security/twitter-can-be-tricked-into-showing-misleading-embedded-links/