A cyber scammer stole nearly $94,000 in public funds from the Massachusetts Clean Energy Center last year, with news of the theft-by-email taking 8 months to reach the quasi-public agency’s board of directors, according to a state audit.

A review by State Auditor Suzanne M. Bump found the clean energy agency “unwittingly wired” $93,679 of public funds on Jan. 9, 2017, to an account controlled by a cyber scammer. The theft, which the agency learned of the next month, took the form of a phishing scam via email, the clean energy agency said.

“The threats of cybercriminals are real and growing. It is imperative that both public and private sector entities take steps to reduce their risk of becoming a victim of these bad actors,” Bump said in a statement.

While the clean energy agency recovered $25,261 of the stolen funds, its management waited 8 months, until September, to report the theft to its board. It contacted Boston police and Attorney General Maura Healey’s office — but not the FBI — and it did not file a formal criminal complaint.

Bump said if MassCEC had immediately reported the scam to law enforcement and told its board “it may have been possible to recover additional funds and pursue prosecution.”

Cyber business scams like this one have cost businesses billions of dollars in the past five years, the FBI said in an alert yesterday.

“Perpetrators have been known to impersonate business executives, real estate industry representatives, HR staff, law firms, and trusted vendors to initiate or redirect wire transfers to overseas bank accounts,” the alert said. “They often adjust the BEC (business email compromise) scheme to target specific victims and maximize financial payouts.”

Bump’s office and MassCEC declined to provide details about how the scammer duped the agency.

In a statement, the clean energy agency said it “takes seriously its responsibility as a steward of public funds and, upon discovering a fraudulent wire transfer in February 2017, immediately engaged in a comprehensive internal review and implemented a number of new processes … designed to identify fraudulent activity and prevent theft.”

MassCEC is funded with a small charge on residential electric rates — about 29 cents a month per ratepayer — that generated $22.6 million in 2017.

The audit reported MassCEC did not consider cyberthreats in its risk assessment and lacked policies to promptly notify its board of thefts or security breaches. The agency was also unaware of Department of Homeland Security guidance regarding reporting cybercrimes to the FBI.