The cyber security appliance can have at least the following components. A phishing site detector that has a segmentation module to break up an image of a page of a site under analysis into multiple segments and then analyze each segment of the image to determine visually whether a key text-like feature exists in that segment. A signature creator creates a digital signature for each segment containing a particular key text-like feature. The digital signature for that segment is indicative of a visual appearance of the particular key text-like feature. Trained AI models compare digital signatures from a set of key text-like features detected in the image of that page under analysis to digital signatures of a set of key text-like features from known bad phishing sites in order to output a likelihood of maliciousness of the unknown site under analysis.