I highly suggest checking to make sure this advice is not part of the training you’re giving your users. It really is outdated.
“Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”.”
As further explanation Brian also describes what the “padlock” has always represented, which is not that the site is “safe” per se.
In reality, the https:// part of the address (also called “Secure Sockets Layer” or SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and can’t be read by third parties. The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.
So yes, having the padlock is better than being on a site without it, but really what is needed is to check, and double-check, the actual URL, or even better, before you type in any credentials, go open a new tab and type it yourself.