Browser-makers' decision to put big red warning lights in the faces of users when they hit sites too slack to use HTTPS is backfiring a little, as crooks are accelerating their use of encryption.
Story @ The Register
Original @ Netcraft
So just because it's HTTPS doesn't mean it's legitimate. This is something many professionals are often aware of but most home users take for granted. At the end of the day, follow the basic rules for identifying phishing emails, if you don't know who it's from, weren't expecting it or are generally not sure what it is, delete it, DO NOT CLICK THE LINKS!
Likewise with phishing websites, if it is a site you know then manually type the address into your address bar and login from there.