You can get malware through email as well as websites. Some antivirus programs scan sites to tell you if they are questionable. No antivirus will find every virus or malware.
Macs can get viruses. It’s just that most viruses are targeted at PCs, since they form the bulk of the potential targets.
About the call itself—I hope you did not give any account information over the phone. It might have been “phishing”—where someone claims to be from that company, in order to get your information. The most prudent course of action would be to call the phone number printed on your bill or credit card. Unless you initiated the call to a number you know belongs to Wells Fargo, you cannot be sure you are actually talking to a company representative. The same applies to emails: never follow any links or call any numbers in those emails.
I received an email recently from Citibank about possible fraud on my card; I called the number on the back of my card, not the number in the email (which was different). It turned out the email was legitimate, but I had no way of knowing for sure.
You're wrong. There are ZERO Mac OSX viruses in the wild, exDemMom. Zero. There have been about seven proof-of-concept attempts at OSX viruses that made tempest in a teapot headlines in the past ten years but they were never seen outside of a security company lab, and NONE of them ever worked. The problem for the malware writers is the sheer lack of a viable vector to get their malicious content onto the targeted Macs other than social engineering... Which brings us to Trojans. There are eighteen known Trojan horse programs in five families for OSX, and OSX has a core level system built in that warns users if they attempt to download, install or run any one of those or any relatives from those families on their computers!
A Mac user can only get a Trojan if he takes an active step to download, install, and run the malicious application, giving an administrator name and password for each step, ignoring the system's explicit warning that he is downloading, installing, and running an identified malicious program. It takes INDUSTRIAL STRENGTH STUPID to do that!