We all have a few family members that aren't quite up to date with technology. Feel free to use this letter. No attribution required.
Dear %FAMILYMEMBER% ,
Thanks for your Internet Security question.
Gmail is probably better than AOL security-wise, but it's not a magic bullet. Security is a process, not a thing you do once. Plenty of my friends have had their Gmail accounts hacked.
If you do get a Gmail account, Two Factor Authentication is a necessity. Even though it's sometimes a pain, you should enable this on all the accounts it's available for. Facebook supports it, as well as gmail. Please do this, it's really important. Seriously.
SMS two factor authentication is better than nothing, but it's not as good as token based authentication like the Google Authenticator smart phone application.
Other sites like the Facebook and Twitter support 2FA. Enable it please.
Clear the malware from your computers. It might be a good time to start with a fresh install of your operating system. I'm not sure what the state of the art is in antivirus to be honest. I've never found them to be terribly useful, however I'm pretty careful on my computer.
Update your web browser. Do not use Internet Explorer – at least not prior to IE11. I recommend using Mozilla Firefox or Google Chrome.
These will reduce your attack surface. There is a lot of malware that sneaks in through ads. You'll also like the internet a lot better without ads.
Use a password manager to create different passwords for the every site you log into. If a site is hacked into, the attackers have no way to use the information that they get to compromise your other accounts.
There are some fee and paid options out there. I use an open source piece of software called Keepass, but there is a commercial package called LastPass which will synchronize the passwords across your different devices (computer, phone, tablet). This may be worth paying for ($12/yr).
I actually have no idea what 90% of my passwords are. They're 20+ character long randomly generated passwords. I just copy them from my password manager into the login forms on websites when needed.
At a very minimum, please create different good passwords for your email and banking accounts.
Periodically check Have I been Pwned to see if your email address has been included in any website hacks.
You can register for notifications if they find your email address in a data dump.
Don't click on links in emails. If American Express wants you to check your account, go there manually in your web browser.
Hope this helps.