Who you calling old?
And sorry, but all humans like to click things, flip switches, and turn knobs. It sounds like you need to remind mom to not be "click-happy". Now is a particularly applicable time to do this too as I just heard, less than 30 minutes ago on HLN, that COVID-19 email scams are on the rise and
ALL people need to be reminded to avoid any email (or phone call) that claims to have a cure, or reports a problem with your stimulus or relief check, or your bank account, or insurance, etc. etc. Remind her to just delete the emails and never, as in NEVER EVER give that information via a reply (or over the phone) unless she initiated the contact. In other words, remind her to treat every and all "unsolicited" requests for information or actions (like "click-here") as malicious and just delete it - and then call you if still worried.
Now, to your NAS, I personally think you are being very wise to consider an off site storage location.
A NAS at home is nice, but what happens if your house burns down or is blown away by a hurricane or tornado, or gets flooded, or a bad guy breaks into your home and physically steals all your computer and networking gear for drug money? So multiple layers to our backup plans are essential and they should include at least one backup that is maintained off-site.
Unless a badguy is targeting you directly, that is, he or she actually knows you and knows you have valuable information, it is very unlikely you will come under attack. But still, common sense precautions are just plain common sense. In addition to the advice given by Solaris, limit sharing to specific folders. Limit access to 1 or 2 simultaneous connections. And I agree with silkstone and you should consider using encryption - but not so the 2nd computer can't do anything with the files, but so a bad guy can't. I suspect your mom is not going to use ransomware to extort money from you.