Many information security tip guides include a "look for the padlock" to find legitimate websites. We now live in a world where half of all phishing websites have the padlock in the browser's location bar! This is according to a Brian Krebs report that references to new PhishLabs data.
There has always been confusion over what the padlock means. It never meant that the website was legitimate. It meant that the owner paid money to a Certificate Authority to validate a keypair such that certain traffic is encrypted between a computer and the website. Over the past few years, the cost of this validation process has decreased greatly.
The following quote is from the Krebs article and summarizes the meaning of the padlock.
"The presence of the padlock does not mean the site is legitimate,
nor is it any proof the site has been security-hardened against
intrusion from hackers."
Be very careful with links you receive. Cyber Monday is a great chance for malicious people to trick you.