When you're just doing the return URL you need to post to PayPal again to verify the transaction using your PDT token.
Say your return URL is Thanks.aspx:
"From the code-behind of Thanks.aspx, you'll parse the tx value and make an HTTP POST to https://www.paypal.com/cgi-bin/webscr with the following parameters: cmd=_notify-synch&tx=[TransactionID]&at=[PDTIdentityToken]."
This will respond with whether or not that request was valid.
The problem is that this page isn't guaranteed to get hit. The user could close their browser, or their internet could get cut off, or anything else.
The IPN will be getting hit from PayPals servers, and you really can't beat that.
It's pretty easy to set up, but I suggest reading through this document which will explain the PDT and IPN methods, and gives an easy way to figure out what you need.