You can't assume the padlock means a site is legitimate.
You can't assume that a site is honest because it has that "secure" padlock in the address bar, and PhishLabs just illustrated why. The anti-phishing company has
determined that 49 percent of all known phishing sites used Secure Sockets Layer protection (and thus displayed the padlock) as of the third quarter of 2018. That's a sharp rise from 35 percent in the second quarter, and a steep climb from 25 percent a year earlier. They'll still try to trick you into handing over vital details -- it's just that their web traffic will be encrypted while they do it.