We used to believe that a padlock shown in a web browser’s address bar meant that we were connected to a safe and secure web site. That’s no longer true. In fact, it never was completely true.
The padlock is shown when a web site has a security certificate installed and the connection is made using an encrypted “https” connection.
HTTPS protocol. (The letter “S” after “http” indicates a “secure” connection.) In fact, an https connection has some arguable drawbacks. Mainly, there’s virtually no barrier to anyone obtaining HTTPS certification, which has made it attractive for criminal groups hoping to add an air of authenticity to bogus sites. That little green padlock guarantees that you’re sending data encrypted, but not that the person on the receiving end has scruples.
When hackers create web sites to trap you, they almost always obtain a security certificate that will work on HTTPS and will display a little green padlock in your web browser. If so, your connection will be secure but you probably will still be ripped off by the hackers that run the site.
You can also read an article by internationally-known security expert Brian Krebs’ article about all the hacker sites that are now displaying https padlocks at https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/
Sadly, many web browsers will claim you have an insecure connection if https isn’t used. In fact, that warning is meaningless. The web site may still be insecure whether https is used or not.
In short, a padlock and an https connection are meaningless these days.