The Securities and Exchange Commission has put public companies on notice that their internal controls need to take into account the threat of losses resulting from cyber-attack, especially e-mail “phishing” scams.

The SEC issued an “investigative report” describing nine unnamed public companies that lost nearly $100 million, most of which could not be recovered, due to cyber-frauds. While the SEC says it did not charge any of the nine companies with any securities violations, it issued the report to explain the risks companies face and put them on notice they are potentially liable for such instances.

The SEC said the investigations focused specifically on “business e-mail compromises,” where cyber-crooks posed as company executives or vendors and used e-mail to trick someone inside the company into sending money to bank accounts controlled by the fraudsters. Some of the cases involved multiple instances of repeated fund transfers that were detected only by outside law enforcement or other third parties. One company lost $45 million over several weeks through 14 separate wire payments to fake executives. Another company paid $1.5 million on eight separate false invoices over several months.

The SEC says it noticed some common themes in all of the schemes. The frauds were not all that sophisticated in terms of how they were designed or what technology they leveraged. The e-mails often described time-sensitive transactions or deals, some need for secrecy, and sometimes some level of government knowledge or oversight. One scheme even implied the SEC was supervising it. They generally were directed at mid-level personnel, contained little detail, and often involved foreign operations or foreign banks. They also often contained errors in spelling and grammar.

The companies spanned a wide range of sectors, had securities listed on national exchanges, and had substantial revenues. The SEC points this out to demonstrate that virtually any company is a potential target, even well-established companies that presumably otherwise have sound controls.

Provisions of the Securities Exchange Act of 1934 require issuers to maintain accounting controls that provide reasonable assurance that transactions are generally executed with management’s authorization and that includes demonstrating responsible stewardship to protect the company’s assets. “While the cyber-related threats posed to issuers’ assets are relatively new, the expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant is not,” the SEC wrote in its report.