As some people here also remarked: you can’t expect the average user to understand the technicalities about redirects etcetera. I think it’s best to keep stressing that:

• Be suspicious whenever any email (or popup or anything else) asks you to do something quickly or else some unpleasant thing will happen (account suspended, services withdrawn: anything). Check with your bank (or whatever) if necessary, but again, capitalised and in bold: NEVER, EVER ACT ON THREATS / DIRE WARNINGS IN EMAIL without checking if it’s OK (hint: it’s not)
• Also: never, ever respond to any request that asks you to provide passwords, security tokens, etcetera. Check with your bank if necessary, but you bet they will answer “don’t”.
• I recognise that this requires a good grasp of English, but if you have that: if an official-looking mail contains even one spelling error, it’s fake.
• Ditto for shabby or inconsistent-looking layout. The example in this case has, for instance, these default 1996-looking blue links. In an otherwise stylised mail that spells “fake, delete me!”
• And as you say, pay attention to the padlock and icon of a verified https connection.

Cyber-criminals might come up with tricks, but I don’t think they’re really getting “smart”. If they really were, they wouldn’t be petty cyber-criminals.