usually insisting they see a padalock, while possibly less foolproof, tends to be more secure. The phishers don't normally register an ssl certificate for their domain (so they can https) since it will get blacklisted within 8 hours or so and those things are pricey.
I've seen more than one phishing site that had a gold padlock as their tiny url icon, or a bar across the top meant to look like the URL bar with a padlock in it, so obviously they recognize this weakness.
