Definitely a con, it's really common at the moment. I would suggest she looks at have [haveibeenpwned.com
] and see if her email address turns up in one of the data breaches they track. That will give her an idea of what might be compromised and need changing.
Macs don't really need endpoint protection (anti-virus) and for Windows machines Defender from Microsoft is fine. What I would suggest is a) use unique passwords for every site b) switch on two-factor authentication on any service where it's available.