Explain to non tech savvy person how to check that your connection to mybank.com is safe?
Why security indicators fail vs. phishing
There is no action that can be taken that is economically viable. Put another way, it's too effortful to defend against phishing attacks. See 'So long and no thanks for the externalities' for an example on the US economy and information workers.
You are correct that checking for URL correctness is error-prone, and HTTPS passive security indicators are a big joke. They go unnoticed, they have for years been meaningless (what does it mean if the keypad is blue or green or grey!?), and were they to be more prominent / active, people would get habituated to see them and attacks could simply buy a certificate for a rogue URL so that the name checks out.
The solution to this issue must be architectural, rather than rely on wasting the time of humans and on said humans to not make mistakes. Why is it that Web browsers don't have a centralised, trusted repository from which to verify the URLs of banks and reputable payment/transfer websites, so that unique security indicators can be used for such sites?
Solution: make users rely on a secure interaction rather than make them deal with the limitations of indicators
I would tell people to go onto the website once, make sure the URL is correct once (you can help them), and save it in their favourites. And use exclusively the favourites button so they know they are on the right website. I would tell them (without details) that you never know where you'll land when clicking a link or searching for a website but the favourites button always takes you to the right place. How? Doesn't matter.
At this stage, users are guaranteed to land on the correct URL. If an active MITM attack is occurring, they will get the scary certificate warning, which they normally don't have for their banking website. Warning habituation is a very real thing, and figures are missing to determine whether users would pay attention to it in the context of a previously trusted banking website. Improving on this warning (e.g. making it scarier for bank sites) would also require knowledge of what is and isn't a bank's website.
Update 09/2018:
While I previously stated that this might be a good option, the world has changed, and the use of EV is no longer a particularly reliable indicator, even given the drawbacks mentioned below. There are articles such as this one from Troy Hunt which explain the full issue, but, in short, browsers are no longer treating EV certificates as something particularly special, and are hiding or reducing the indicators of EV status.
Taking the first of the sites shown previously, for instance, gives the following display in, respectively, Chrome 69, Edge, Firefox 62 and Internet Explorer 10. Safari on mobile shows a green padlock and "Barclays PLC", Chrome on mobile shows a green padlock, "https" in green, then the rest of the URL in black.
In other words, even if the site does use an EV certificate, there isn't a single indicator that can be easily communicated to a non-technical person anymore. It was always at the mercy of browsers, and it's no longer treated as anything special.
So, what's the alternative? Nothing springs to mind: the URLs below are from a range of subdomains of the bank sites, which makes looking for the bank name harder, and it doesn't work on some mobile devices, which don't show the full URL. The padlock symbol is easy to work around, given the availability of free SSL certificates for domains you control. Browsers mostly currently show "https://", but not "http://" now, but relying on that remaining the case has most of the same issues as relying on the green address bar.
That leaves typing the bank address into the address bar each time, and being absolutely sure it's not got typos in, which is not a reliable method either. Searching isn't reliable: most search providers are pretty good at weeding out fake links in adverts on terms like "online banking login", but it only takes one missed link. Following links from the main bank site just moves the verification issue up one level.
I suppose it's down to just being careful: use a single device to access the banking site, using a bookmark which has been checked carefully on creation, and don't allow anyone else to access that device, so they can't be modified. It probably makes sense for some people, but I could see that being a too high burden on the average user, where devices are shared with family members or could be accessed by co-workers.
Original 02/2016:
I was going to suggest that ensuring that the login screen for the online banking system showed the name of the bank in green, in the address bar might work. But then I started wondering if any of the local banks I know about did that properly.
It's less encouraging than I'd hoped. For these nine fairly large banks, 6 provide the name of the bank in the EV cert bar. 2 provide the name of the parent group (which might not always be obvious), and one doesn't even have an EV certificate.
The EV certificate is designed to make this easy, if it's used properly - you can't fake it easily, and it's outside the page area, so can't be inserted by a malicious actor. However, it seems that banks aren't doing so well at using it..
"I am asking how to explain to an ordinary user how to check that the browser is using HTTPS and that you are on the right site..."
I agree with what others have said here about looking for the lock as well as the "s" in https and verifying that the url after the // is correct. That is what I remind my clients to do. All financial institutions will have these things as a minimum
Other approaches like the "green name" in EV certs are helpful but not all banks use them because they are much more expensive and take more paperwork to implement (to prove who you are) than a standard SSL cert.
Two things I'd add to the discussion are to maybe focus on how people get to the banking site.
If they're getting there via a bookmark (ok as long as you always use the same computer and browser), or via the bank's mobile app, or by typing in the (hopefully short and spelled correctly) url of their bank each time, then they're much less likely to encounter phishing or MITM attacks.
However if they're responding to a link in an email claiming to be from the bank (always dubious), or off a search engine's results, then they should be extra cautious or avoid these avenues altogether.
The other thing I do with my clients is to warn them of the consequences if they get careless... like discovering transactions they didn't make and/or money gone from their account, transferred to countries where recovery might well be impossible (such as Russia or China). Basically, a little fear/paranoia can go a long way toward keeping folks vigilant and their accounts safe. Hope this helps!