Yeah to be fair ronski common sense is mostly all you need, your wife no offense was lacking it by clicking the link.
Windows defender I am not a fan off because of its habit of running background scans which is stupid, but in the latest windows 10 it has some very good anti malware technology that beats a lot of commercial solutions that are aimed at home users. If you on build 1803 or newer, goto the security dashboard and check "core isolation" also check "app and browser control" and then in that section "exploit protection", the latter is what used to be EMET, but is now integrated into windows defender. It sadly doesnt come with hardly anything preconfigured, so out of the box doesnt do a whole lot, but if configured right it will be practically impossible to penetrate. By default CFG etc. will protect windows binaries but rules can be created to protect browsers and other binaries. I am still waiting for the day Windows enables Applocker for consumers and also has pre configured rules for it aswell, but they really want to keep that one for enterprise only.
An example today I got a paypal email telling me my account was restricted, all I had to do was look at the sender yep its a spoof, common sense, also hover over the link reveals the true destination without having to click it.
Avast isnt too bad, but for it to work really well, I would enable the hardened mode and put it in the normal (not agressive) setting, in that mode, anything not verified as whitelisted needs manual overide to be executed on the system, its not convenient, but its powerful in that mode.